[Snort-sigs] false positive FYI

Al Lewis (allewi) allewi at cisco.com
Thu Dec 7 14:59:55 EST 2017


Can you send a sample of the traffic?


Albert Lewis
SOURCEfire, Inc. now part of Cisco
Email: allewi at cisco.com<mailto:allewi at cisco.com>

From: Snort-sigs <snort-sigs-bounces at lists.snort.org<mailto:snort-sigs-bounces at lists.snort.org>> on behalf of Daniel Schreiber <scrober at outlook.de<mailto:scrober at outlook.de>>
Date: Thursday, December 7, 2017 at 2:45 PM
To: "snort-sigs at lists.snort.org<mailto:snort-sigs at lists.snort.org>" <snort-sigs at lists.snort.org<mailto:snort-sigs at lists.snort.org>>
Subject: [Snort-sigs] false positive FYI


these Rule here:
119:33 (http_inspect) UNESCAPED SPACE IN HTTP URI

Cause some false positve on my setup.

it blocks Apple Facetime server IPs and steam akamaitechnologies IPs that seems to reffer to the Steam Network.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-sigs/attachments/20171207/2e0235c0/attachment.html>

More information about the Snort-sigs mailing list