[Snort-users] False Positive on VRT 28039

Jeremy Hoel jthoel at ...11827...
Tue Nov 26 19:37:48 EST 2013


Rule is looking for .pw as indicator of compromise however upworthy
bought u.pw as a URL shortener.  Maybe modify the rule to exclude that
domain?

http://www.thedomains.com/2013/06/03/upworthy-com-buys-u-pw-as-url-shortener/




More information about the Snort-users mailing list