[Snort-sigs] SID 1:2278 False Positive

Juan Alvarez Ferrando juan.alvarez at ...3003...
Mon Feb 21 07:05:26 EST 2005


# This is a template for submitting snort signature descriptions to # the
snort.org website # 
# Ensure that your descriptions are your own 
# and not the work of others.  References in the rules themselves # should
be used for linking to other's work. 
#
# If you are unsure of some part of a rule, use that as a commentary 
# and someone else perhaps will be able to fix it. 
# 
# $Id$
#
# 

#Rule:  

--
Sid: 1:2278

--
#Summary:

--
#Impact:

--
#Detailed Information:

--
#Affected Systems:

--
#Attack Scenarios:

--
#Ease of Attack:

--
False Positives:

This rule is giving false positives sistematically on a web server running
Squirrelmail. The rule seems OK as it searches for a decimal value preceded
by a minus sign, after the "Content Length:" string, but the alerts I'm
getting all have positive values. I've also found a post in a forun about
this same problem suggesting it could be a 
Problem with the PCRE processor.
This remains unsolved for me.

--
#False Negatives:

--
#Corrective Action:

--
#Contributors:

-- 
#Additional References:





More information about the Snort-sigs mailing list