[Snort-sigs] 2515 "WEB-MISC PCT Client_Hello" FPs
bmc at ...95...
Fri Jun 25 11:58:01 EDT 2004
On Fri, Jun 25, 2004 at 02:42:26PM -0400, sekure wrote:
> I am wondering if any more tightening up can be performed on the rev:9
> of this rule. I still see a lot of False Positives. It also
> accurately alerts on "legitimate" overflow attempts, but the FPs are
> killing me.
> I guess i can always suppress it since I am not really running any IIS
> boxes, but I like to keep most of the current rules on, even if they
> don't apply to me, just to see who is trying what.
Send me pcap, I'll take a look.
For most rules, I can't do much without pcap to clean up false positives.
More information about the Snort-sigs