[Snort-sigs] False Positives with SIDs 2505 and 2506?

Timothy Wright twright at ...379...
Mon May 3 04:54:12 EDT 2004

Is anyone out there seeing false positives with rules 2505 and 2506 
(WEB-MISC invalid SSLv3 data version and timestamp attempts, 
respectively)?  I seem to be racking up a good number of hits that just 
don't fit the M.O. of attack traffic (e.g., large number of local, 
source hosts, very low level of events coming from each, all of the 
traffic aimed at the same few local web servers).  Many of the source 
hosts appear to be Macs - which somewhat adds to my suspicions.




Timothy Wright, CISSP
Information Security
Office of Information Technologies
University of Notre Dame

More information about the Snort-sigs mailing list