[Snort-sigs] FPs on community sids 100000118,100000119
bmc at ...95...
Tue Jan 10 07:52:01 EST 2006
On Jan 9, 2006, at 7:57 PM, Jeff Kell wrote:
> The original rules are designed to catch a buffer overflow with an
> overly long 'Content-type:' or 'Content-encoding:' tag. The current
> signatures are looking for those content strings, followed by 200
> bytes of [^\r\n]. Several webmail clients are causing FPs on this
> sig, the text they actually return is delimited by <br> notation, or
> with AOL they are sometimes delimited by the literals "\r\n" (format
> string?). At any rate, the expected <cr>/<lf> terminators aren't
> there, and the sigs fire.
Can you send an example packet that shows the FP?
More information about the Snort-sigs