[Snort-sigs] False positive
Hugo van der Kooij
hvdkooij at ...481...
Fri Mar 12 14:26:08 EST 2004
On Wed, 10 Mar 2004, [iso-8859-1] Michaël Catroux wrote:
> I have a false positive with a signature.
> This is an example :
> [**] [1:1333:4] WEB-ATTACKS id command attempt [**]
> [Classification: Web Application Attack] [Priority: 1]
> 03/09-15:36:41.932504 220.127.116.11:80 -> 172.X.X.X:1191
> TCP TTL:48 TOS:0x0 ID:24248 IpLen:20 DgmLen:1500 DF
> ***A**** Seq: 0x338D6871 Ack: 0x9BFDB12F Win: 0x19EC TcpLen: 20
Could you clarify why it is a false positive?
And if there is a way to improve the signature?
All email sent to me is bound to the rules described on my homepage.
hvdkooij at ...481... http://hvdkooij.xs4all.nl/
Don't meddle in the affairs of sysadmins,
for they are subtle and quick to anger.
More information about the Snort-sigs