[Snort-sigs] 2515 "WEB-MISC PCT Client_Hello" FPs

Brian bmc at ...95...
Fri Jun 25 11:58:01 EDT 2004


On Fri, Jun 25, 2004 at 02:42:26PM -0400, sekure wrote:
> I am wondering if any more tightening up can be performed on the rev:9
> of this rule.  I still see a lot of False Positives.  It also
> accurately alerts on "legitimate" overflow attempts, but the FPs are
> killing me.
> 
> I guess i can always suppress it since I am not really running any IIS
> boxes, but I like to keep most of the current rules on, even if they
> don't apply to me, just to see who is trying what.

Send me pcap, I'll take a look.  

For most rules, I can't do much without pcap to clean up false positives.

Brian




More information about the Snort-sigs mailing list