[Snort-sigs] Re: Snort-sigs digest, Vol 1 #1595 - 2 msgs

Ureleet Ureleet ureleet at ...2420...
Wed Jan 11 14:45:00 EST 2006


What is official policy on submitting FP's?  Description and packet
captures?  But to what address?  Where to send them,?



On 1/10/06, snort-sigs-request at lists.sourceforge.net
<snort-sigs-request at lists.sourceforge.net> wrote:
> Send Snort-sigs mailing list submissions to
>         snort-sigs at lists.sourceforge.net
>
> To subscribe or unsubscribe via the World Wide Web, visit
>         https://lists.sourceforge.net/lists/listinfo/snort-sigs
> or, via email, send a message with subject or body 'help' to
>         snort-sigs-request at lists.sourceforge.net
>
> You can reach the person managing the list at
>         snort-sigs-admin at lists.sourceforge.net
>
> When replying, please edit your Subject line so it is more specific
> than "Re: Contents of Snort-sigs digest..."
>
>
> Today's Topics:
>
>    1. Re: FPs on community sids 100000118,100000119 (Brian Caswell)
>    2. Intro (Ureleet Ureleet)
>
> --__--__--
>
> Message: 1
> Cc: snort-sigs at lists.sourceforge.net
> From: Brian Caswell <bmc at ...95...>
> Subject: Re: [Snort-sigs] FPs on community sids 100000118,100000119
> Date: Tue, 10 Jan 2006 10:51:14 -0500
> To: Jeff Kell <jeff-kell at ...922...>
>
> On Jan 9, 2006, at 7:57 PM, Jeff Kell wrote:
> > The original rules are designed to catch a buffer overflow with an
> > overly long 'Content-type:' or 'Content-encoding:' tag.  The current
> > signatures are looking for those content strings, followed by 200
> > bytes of  [^\r\n].  Several webmail clients are causing FPs on this
> > sig, the text they actually return is delimited by <br> notation, or
> > with AOL they are sometimes delimited by the literals "\r\n" (format
> > string?).  At any rate, the expected <cr>/<lf> terminators aren't
> > there, and the sigs fire.
>
> Can you send an example packet that shows the FP?
>
> Brian
>
>
>
> --__--__--
>
> Message: 2
> Date: Tue, 10 Jan 2006 11:37:57 -0500
> From: Ureleet Ureleet <ureleet at ...2420...>
> To: snort-sigs at lists.sourceforge.net
> Subject: [Snort-sigs] Intro
>
> ------=_Part_2607_22505505.1136911077588
> Content-Type: text/plain; charset=ISO-8859-1
> Content-Transfer-Encoding: quoted-printable
> Content-Disposition: inline
>
> Hey all.  I've been around Snort for years, but never been on the list.
> Just wanted to into myself.  Hope to learn, hope to help learn.
>
> ------=_Part_2607_22505505.1136911077588
> Content-Type: text/html; charset=ISO-8859-1
> Content-Transfer-Encoding: quoted-printable
> Content-Disposition: inline
>
> <div>Hey all.  I've been around Snort for years, but never been on the=
>  list.  Just wanted to into myself.  Hope to learn, hope to help =
> learn.</div>
> <div> </div>
> <div> </div>
> <div> </div>
> <div> </div>
>
> ------=_Part_2607_22505505.1136911077588--
>
>
>
> --__--__--
>
> _______________________________________________
> Snort-sigs mailing list
> Snort-sigs at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/snort-sigs
>
>
> End of Snort-sigs Digest
>




More information about the Snort-sigs mailing list