[Snort-sigs] False positive - sid:2303

Paul Schmehl pauls at ...1311...
Fri Mar 18 13:30:48 EST 2005

--On Friday, March 18, 2005 03:11:33 PM -0600 SRH-Lists 
<giermo at ...1992...> wrote:
> Is it possible that the offending content is in the stream and not in
> the packet you are looking at?
Probably so.  Unfortunately, we only have a 160GB drive right now, so I 
can't even keep 24 hours of data.  Those stream packets are gone.
> If you are getting these alot, try running tcpdump or ethereal or snort
> in packet logging mode (or sguil with log_packets) and take a look at
> the whole stream.  I bet the content is in there someplace.
We're running sguil.  That's where I'm getting all this info.

Paul Schmehl (pauls at ...1311...)
Adjunct Information Security Officer
The University of Texas at Dallas
AVIEN Founding Member

More information about the Snort-sigs mailing list