[Snort-sigs] False positive

Hugo van der Kooij hvdkooij at ...481...
Fri Mar 12 14:26:08 EST 2004

On Wed, 10 Mar 2004, [iso-8859-1] Michaël Catroux wrote:

> I have a false positive with a signature.
> This is an example :
> [**] [1:1333:4] WEB-ATTACKS id command attempt [**]
> [Classification: Web Application Attack] [Priority: 1]
> 03/09-15:36:41.932504 -> 172.X.X.X:1191
> TCP TTL:48 TOS:0x0 ID:24248 IpLen:20 DgmLen:1500 DF
> ***A**** Seq: 0x338D6871  Ack: 0x9BFDB12F  Win: 0x19EC  TcpLen: 20

Could you clarify why it is a false positive?
And if there is a way to improve the signature?


 All email sent to me is bound to the rules described on my homepage.
    hvdkooij at ...481...		http://hvdkooij.xs4all.nl/
	    Don't meddle in the affairs of sysadmins,
	    for they are subtle and quick to anger.

More information about the Snort-sigs mailing list