[Snort-sigs] False Positives with SIDs 2505 and 2506?
bmc at ...95...
Mon May 10 14:35:06 EDT 2004
On Thu, May 06, 2004 at 02:41:34PM +1000, Chris Keladis wrote:
> SID 2505 is falsely firing due to a bug in Snort. I've sent a pcap to the
> Snort developers and there should be a solution soon.
Well, sorta. This is more of a feature that wasn't fully thought out.
In some cases, automatic recursion is not desired. I'm coming up with
text to put in the manual that explains what this bug is and how to
work around it.
> SID 2506 however is a bit weird (for me anyway). It alerts if the
> client_hello.timestamp bytes are > 2147483647 (a 32bit signed int).
2506 is now "deleted" Some browsers are dumb and send invalid
timestamps. As such, these trigger on normal traffic. So... they are
More information about the Snort-sigs