[Snort-sigs] False Positives with SIDs 2505 and 2506?
twright at ...379...
Mon May 3 04:54:12 EDT 2004
Is anyone out there seeing false positives with rules 2505 and 2506
(WEB-MISC invalid SSLv3 data version and timestamp attempts,
respectively)? I seem to be racking up a good number of hits that just
don't fit the M.O. of attack traffic (e.g., large number of local,
source hosts, very low level of events coming from each, all of the
traffic aimed at the same few local web servers). Many of the source
hosts appear to be Macs - which somewhat adds to my suspicions.
Timothy Wright, CISSP
Office of Information Technologies
University of Notre Dame
More information about the Snort-sigs