[Snort-sigs] Another false positive - sid:2435
chris at ...2461...
Fri Mar 18 16:07:44 EST 2005
Paul Schmehl wrote:
> --On Friday, March 18, 2005 05:48:45 PM -0500 Scott Dexter
> <scott.dexter at ...2420...> wrote:
>> With a space you always run the chance of a false negative too,
> Can you give an example?
> If you're looking for files named foo.eml, what could follow eml without
> "screwing up" the filename?
Strictly speaking, ";" comes to mind. "?" is another, or even "&" or "/".
Although looking at it in the context of the file format, EMF (not to be
confused with EML) is a graphics format and i dont think should ever
take input (but i may be wrong, never checked).
So that takes "?" out of the equation. There are probably more that i
More information about the Snort-sigs