[Snort-sigs] SID:13310

Matt Watchinski mwatchinski at ...435...
Wed Nov 12 15:44:02 EST 2008


Got a pcap?

If so please send it to research [a t] sourcefire.com

and we'll give it a look to see if there is a good way to fix it.

Cheers,
-matt

On Wed, Nov 12, 2008 at 11:59 AM, Wallace, Jason <jason.wallace at ...3359...
> wrote:

>
> I seem to get a lot of false positives related to responses from IIS
> servers with SID:13310.
>
> Since this is specific to Apache, is there any reason it should not be
> updated with a simple...
>
> content:"Apache"; nocase;
>
> This would probably also cut down on the number of times this giant pcre
> would need to be evaluated.
>
>
> Thx,
> Jason
>
> @XXXXX{=================>
> Jason R. Wallace
> Talecris Biotherapeutics
> Information Solutions
> Sr. IS Security Analyst
>
> -------------------------------------------------------------------------
> This SF.Net email is sponsored by the Moblin Your Move Developer's
> challenge
> Build the coolest Linux based applications with Moblin SDK & win great
> prizes
> Grand prize is a trip for two to an Open Source event anywhere in the world
> http://moblin-contest.org/redirect.php?banner_id=100&url=/
> _______________________________________________
> Snort-sigs mailing list
> Snort-sigs at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/snort-sigs
>



-- 
Matthew Watchinski
Sr. Director Vulnerability Research Team (VRT)
Sourcefire, Inc.
Office: 410-423-1928
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-sigs/attachments/20081112/583bf9ea/attachment.html>


More information about the Snort-sigs mailing list