[Snort-sigs] SID 1432 & Correcting false positives.

Barnes Brandon Amn AFWA/SCHS brandon.barnes at ...2455...
Tue May 4 06:33:07 EDT 2004


I encountered the common false positives from SID 1432. Looking at the
archives, quite a few mention the false positive and a few call to delete
it. But why not just modify it? Replace !80 with any, and add exclusions of
http and https in the content. I personally don't see any downsides to this.
I could be wrong as I'm new to this, so please let me know.

Brandon M. Barnes, Amn, USAF
Intrusion Detection Specialist
HQ AFWA NOSC






More information about the Snort-sigs mailing list