[Snort-sigs] Another false positive - sid:2435

Chris Keladis chris at ...2461...
Fri Mar 18 16:07:44 EST 2005


Paul Schmehl wrote:

> --On Friday, March 18, 2005 05:48:45 PM -0500 Scott Dexter 
> <scott.dexter at ...2420...> wrote:
> 
>>
>> With a space you always run the chance of a false negative too,
> 
> 
> Can you give an example?
> 
> If you're looking for files named foo.eml, what could follow eml without 
> "screwing up" the filename?

Strictly speaking, ";" comes to mind. "?" is another, or even "&" or "/".

Although looking at it in the context of the file format, EMF (not to be 
confused with EML) is a graphics format and i dont think should ever 
take input (but i may be wrong, never checked).

So that takes "?" out of the equation. There are probably more that i 
have missed.





Regards,

Chris.




More information about the Snort-sigs mailing list