[Snort-sigs] FPs on community sids 100000118,100000119

Brian Caswell bmc at ...95...
Tue Jan 10 07:52:01 EST 2006


On Jan 9, 2006, at 7:57 PM, Jeff Kell wrote:
> The original rules are designed to catch a buffer overflow with an 
> overly long 'Content-type:' or 'Content-encoding:' tag.  The current 
> signatures are looking for those content strings, followed by 200 
> bytes of  [^\r\n].  Several webmail clients are causing FPs on this 
> sig, the text they actually return is delimited by <br> notation, or 
> with AOL they are sometimes delimited by the literals "\r\n" (format 
> string?).  At any rate, the expected <cr>/<lf> terminators aren't 
> there, and the sigs fire.

Can you send an example packet that shows the FP?

Brian





More information about the Snort-sigs mailing list