'Re: [Snort-sigs] SID:13310'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       snort-sigs
Subject:    Re: [Snort-sigs] SID:13310
From:       "Matt Watchinski" <mwatchinski () sourcefire ! com>
Date:       2008-11-12 20:44:02
Message-ID: 64e9fb5a0811121244i13c8fb91nae03ca34b6cc04a () mail ! gmail ! com
[Download RAW message or body]

[Attachment #2 (multipart/alternative)]


Got a pcap?

If so please send it to research [a t] sourcefire.com

and we'll give it a look to see if there is a good way to fix it.

Cheers,
-matt

On Wed, Nov 12, 2008 at 11:59 AM, Wallace, Jason <jason.wallace@talecris.com
> wrote:

>
> I seem to get a lot of false positives related to responses from IIS
> servers with SID:13310.
>
> Since this is specific to Apache, is there any reason it should not be
> updated with a simple...
>
> content:"Apache"; nocase;
>
> This would probably also cut down on the number of times this giant pcre
> would need to be evaluated.
>
>
> Thx,
> Jason
>
> @XXXXX{=================>
> Jason R. Wallace
> Talecris Biotherapeutics
> Information Solutions
> Sr. IS Security Analyst
>
> -------------------------------------------------------------------------
> This SF.Net email is sponsored by the Moblin Your Move Developer's
> challenge
> Build the coolest Linux based applications with Moblin SDK & win great
> prizes
> Grand prize is a trip for two to an Open Source event anywhere in the world
> http://moblin-contest.org/redirect.php?banner_id=100&url=/
> _______________________________________________
> Snort-sigs mailing list
> Snort-sigs@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/snort-sigs
>



-- 
Matthew Watchinski
Sr. Director Vulnerability Research Team (VRT)
Sourcefire, Inc.
Office: 410-423-1928

[Attachment #5 (text/html)]

Got a pcap?<br><br>If so please send it to research [a t] <a \
href="http://sourcefire.com">sourcefire.com</a> <br><br>and we&#39;ll give it a look \
to see if there is a good way to fix it.<br><br>Cheers,<br>-matt<br><br><div \
class="gmail_quote"> On Wed, Nov 12, 2008 at 11:59 AM, Wallace, Jason <span \
dir="ltr">&lt;<a href="mailto:jason.wallace@talecris.com">jason.wallace@talecris.com</a>&gt;</span> \
wrote:<br><blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, \
204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;"> <br>
I seem to get a lot of false positives related to responses from IIS servers with \
SID:13310.<br> <br>
Since this is specific to Apache, is there any reason it should not be updated with a \
simple...<br> <br>
content:&quot;Apache&quot;; nocase;<br>
<br>
This would probably also cut down on the number of times this giant pcre would need \
to be evaluated.<br> <br>
<br>
Thx,<br>
Jason<br>
<br>
@XXXXX{=================&gt;<br>
Jason R. Wallace<br>
Talecris Biotherapeutics<br>
Information Solutions<br>
Sr. IS Security Analyst<br>
<br>
-------------------------------------------------------------------------<br>
This SF.Net email is sponsored by the Moblin Your Move Developer&#39;s challenge<br>
Build the coolest Linux based applications with Moblin SDK &amp; win great prizes<br>
Grand prize is a trip for two to an Open Source event anywhere in the world<br>
<a href="http://moblin-contest.org/redirect.php?banner_id=100&amp;url=/" \
target="_blank">http://moblin-contest.org/redirect.php?banner_id=100&amp;url=/</a><br>
 _______________________________________________<br>
Snort-sigs mailing list<br>
<a href="mailto:Snort-sigs@lists.sourceforge.net">Snort-sigs@lists.sourceforge.net</a><br>
 <a href="https://lists.sourceforge.net/lists/listinfo/snort-sigs" \
target="_blank">https://lists.sourceforge.net/lists/listinfo/snort-sigs</a><br> \
</blockquote></div><br><br clear="all"><br>-- <br>Matthew Watchinski<br>Sr. Director \
Vulnerability Research Team (VRT)<br>Sourcefire, Inc.<br>Office: 410-423-1928<br>



-------------------------------------------------------------------------
This SF.Net email is sponsored by the Moblin Your Move Developer's challenge
Build the coolest Linux based applications with Moblin SDK & win great prizes
Grand prize is a trip for two to an Open Source event anywhere in the world
http://moblin-contest.org/redirect.php?banner_id=100&url=/

_______________________________________________
Snort-sigs mailing list
Snort-sigs@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/snort-sigs


[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic