[Snort-sigs] FP on 1365 - Web attack rm attempt

Jeff Kell jeff-kell at ...922...
Mon Jul 4 12:01:13 EDT 2005


Getting FPs on 1365, which is checking for content: "rm%20" -> http servers.  Webmail in particular is the problem here, exchanging subject lines containing words ending in "rm", e.g., dorm, form, worm, etc.

A pcre: with \W in front should fix it, if it's worth the overhead.

Jeff




More information about the Snort-sigs mailing list