[Snort-users] False positives

Chris Green cmg at ...950...
Tue Oct 22 11:49:04 EDT 2002


Gary Verhulp <garyv at ...7238...> writes:

> That's what I'm sayin'
> :)
> I've determined that I have a false positive i.e. I've examined the
> packets and I have  reliable instances of False positives.
>
> For instance <possible  .scr worm> is triggered by .scr
> which, as I understand it, reads as any character followed by "scr"

actually it's ".scr".  Those aren't regular expressions on your
screen!  So its anytime the 4 byte pattern .scr is found 
-- 
Chris Green <cmg at ...1935...>
A good pun is its own reword.




More information about the Snort-users mailing list