[Snort-sigs] SID 1432 & Correcting false positives.
Barnes Brandon Amn AFWA/SCHS
brandon.barnes at ...2455...
Tue May 4 06:33:07 EDT 2004
I encountered the common false positives from SID 1432. Looking at the
archives, quite a few mention the false positive and a few call to delete
it. But why not just modify it? Replace !80 with any, and add exclusions of
http and https in the content. I personally don't see any downsides to this.
I could be wrong as I'm new to this, so please let me know.
Brandon M. Barnes, Amn, USAF
Intrusion Detection Specialist
HQ AFWA NOSC
More information about the Snort-sigs