[Snort-sigs] sid:1233

Dominik Gehl dgehl at ...3083...
Fri Jun 3 12:31:24 EDT 2005


Hi,

I noticed, what I believe to be a false positive in rule 1233 (Outlook
EML access).: a user was accessing hotmail and the GET was
for /i.p.emlips.gif. Since the rule is looking for uricontent:".eml", an
alert was triggered. 

Wouldn't it be better to search for the extension .eml instead of just
the substring .eml ?

Dominik






More information about the Snort-sigs mailing list