[prev in list] [next in list] [prev in thread] [next in thread]
List: snort-sigs
Subject: Re: [Snort-sigs] SID:13310
From: "Matt Watchinski" <mwatchinski () sourcefire ! com>
Date: 2008-11-12 20:44:02
Message-ID: 64e9fb5a0811121244i13c8fb91nae03ca34b6cc04a () mail ! gmail ! com
[Download RAW message or body]
[Attachment #2 (multipart/alternative)]
Got a pcap?
If so please send it to research [a t] sourcefire.com
and we'll give it a look to see if there is a good way to fix it.
Cheers,
-matt
On Wed, Nov 12, 2008 at 11:59 AM, Wallace, Jason <jason.wallace@talecris.com
> wrote:
>
> I seem to get a lot of false positives related to responses from IIS
> servers with SID:13310.
>
> Since this is specific to Apache, is there any reason it should not be
> updated with a simple...
>
> content:"Apache"; nocase;
>
> This would probably also cut down on the number of times this giant pcre
> would need to be evaluated.
>
>
> Thx,
> Jason
>
> @XXXXX{=================>
> Jason R. Wallace
> Talecris Biotherapeutics
> Information Solutions
> Sr. IS Security Analyst
>
> -------------------------------------------------------------------------
> This SF.Net email is sponsored by the Moblin Your Move Developer's
> challenge
> Build the coolest Linux based applications with Moblin SDK & win great
> prizes
> Grand prize is a trip for two to an Open Source event anywhere in the world
> http://moblin-contest.org/redirect.php?banner_id=100&url=/
> _______________________________________________
> Snort-sigs mailing list
> Snort-sigs@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/snort-sigs
>
--
Matthew Watchinski
Sr. Director Vulnerability Research Team (VRT)
Sourcefire, Inc.
Office: 410-423-1928
[Attachment #5 (text/html)]
Got a pcap?<br><br>If so please send it to research [a t] <a \
href="http://sourcefire.com">sourcefire.com</a> <br><br>and we'll give it a look \
to see if there is a good way to fix it.<br><br>Cheers,<br>-matt<br><br><div \
class="gmail_quote"> On Wed, Nov 12, 2008 at 11:59 AM, Wallace, Jason <span \
dir="ltr"><<a href="mailto:jason.wallace@talecris.com">jason.wallace@talecris.com</a>></span> \
wrote:<br><blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, \
204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;"> <br>
I seem to get a lot of false positives related to responses from IIS servers with \
SID:13310.<br> <br>
Since this is specific to Apache, is there any reason it should not be updated with a \
simple...<br> <br>
content:"Apache"; nocase;<br>
<br>
This would probably also cut down on the number of times this giant pcre would need \
to be evaluated.<br> <br>
<br>
Thx,<br>
Jason<br>
<br>
@XXXXX{=================><br>
Jason R. Wallace<br>
Talecris Biotherapeutics<br>
Information Solutions<br>
Sr. IS Security Analyst<br>
<br>
-------------------------------------------------------------------------<br>
This SF.Net email is sponsored by the Moblin Your Move Developer's challenge<br>
Build the coolest Linux based applications with Moblin SDK & win great prizes<br>
Grand prize is a trip for two to an Open Source event anywhere in the world<br>
<a href="http://moblin-contest.org/redirect.php?banner_id=100&url=/" \
target="_blank">http://moblin-contest.org/redirect.php?banner_id=100&url=/</a><br>
_______________________________________________<br>
Snort-sigs mailing list<br>
<a href="mailto:Snort-sigs@lists.sourceforge.net">Snort-sigs@lists.sourceforge.net</a><br>
<a href="https://lists.sourceforge.net/lists/listinfo/snort-sigs" \
target="_blank">https://lists.sourceforge.net/lists/listinfo/snort-sigs</a><br> \
</blockquote></div><br><br clear="all"><br>-- <br>Matthew Watchinski<br>Sr. Director \
Vulnerability Research Team (VRT)<br>Sourcefire, Inc.<br>Office: 410-423-1928<br>
-------------------------------------------------------------------------
This SF.Net email is sponsored by the Moblin Your Move Developer's challenge
Build the coolest Linux based applications with Moblin SDK & win great prizes
Grand prize is a trip for two to an Open Source event anywhere in the world
http://moblin-contest.org/redirect.php?banner_id=100&url=/
_______________________________________________
Snort-sigs mailing list
Snort-sigs@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/snort-sigs
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic