[Snort-sigs] False alert for SID 1:1769

Nigel Houghton nigel at ...435...
Mon Jan 31 07:03:38 EST 2005


On  0, p3consulting <p3consulting at ...2282...> allegedly wrote:
> Rule:   
>  WEB-MISC .DS_Store access 
> 
> -- 
> Sid: SID 1:1769 
> 
> False Positives:  
> Legitimate WebDAV access to a server running Snort from a Mac OS X 
> machine will generate the alert. 
 
Evidence of this is required. Please provide example packet captures if
possible. If anyone else has seen this and can get packet captures that
would be helpful. 

Thanks.

+--------------------------------------------------------------------+
     Nigel Houghton      Research Engineer       Sourcefire Inc.
                   Vulnerability Research Team

   Stewie: This is treason.. for God sakes Peter make an example of
   her.. nothing says 'obey me' like a bloody head on a fence post.




More information about the Snort-sigs mailing list