[Emerging-Sigs] Gzipped Posts
dxp
dxp2532 at gmail.com
Mon Mar 31 11:36:36 EST 2008
For HTTP based traffic the majority of systems were Windows based.
I don't see how an OS makes a difference here. Compressing HTTP traffic
is performed by a browser, unless there are Windows services which need
to POST compressed content to the net.
On Mon, 2008-03-31 at 10:55 -0500, Frank Knobbe wrote:
> On Thu, 2008-03-27 at 23:50 -0400, dxp wrote:
> > Had the sig running ever since the post on a fairly large and
> > distributed network without a single hit. HTTP traffic inspected is
> > both internal and external.
>
> You don't run many Windows systems, do you?
>
> In fact, there was a massive amount of false positives that we've seen.
> Some sites include codecs.microsoft.com and other benign sites.
>
> Matt has disabled that sig by default now afaik. Enable if you like, but
> be careful. More falses than not.
>
> -Frank
>
>
> _______________________________________________
> Emerging-sigs mailing list
> Emerging-sigs at emergingthreats.net
> http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
--
-=[ dxp ]=-
0xA3F3C6E3
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.emergingthreats.net/pipermail/emerging-sigs/attachments/20080331/444fb1fd/attachment.html
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url : http://lists.emergingthreats.net/pipermail/emerging-sigs/attachments/20080331/444fb1fd/attachment.bin
More information about the Emerging-sigs
mailing list