[Snort-users] False positives
cmg at ...950...
Tue Oct 22 11:49:04 EDT 2002
Gary Verhulp <garyv at ...7238...> writes:
> That's what I'm sayin'
> I've determined that I have a false positive i.e. I've examined the
> packets and I have reliable instances of False positives.
> For instance <possible .scr worm> is triggered by .scr
> which, as I understand it, reads as any character followed by "scr"
actually it's ".scr". Those aren't regular expressions on your
screen! So its anytime the 4 byte pattern .scr is found
Chris Green <cmg at ...1935...>
A good pun is its own reword.
More information about the Snort-users