[Emerging-Sigs] FP on 2011031?

evilghost@packetmail.net evilghost at packetmail.net
Thu Oct 7 16:36:44 EDT 2010


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 10/07/2010 03:25 PM, Weir, Jason wrote:
> Yup - it looks like it's firing on all HTTP GET requests...  Only thing
> I changed was testing Matt's Beta ET Pro Open ruleset - no changes to
> the snort.conf.. 

I really wish I had more to offer here.  I just can't fathom why this
rule is firing.  We ran it with 2.8.5.x and even now with 2.8.6.1
without any false positives.

I rarely, if ever, see it fire.  I know this doesn't help your situation
but I am putting thought into it.

Double-checked and we're running 2011031; anyone else having issues?
What version of Snort are you using Jason?

Just don't see why this rule would fire on all HTTP GETs, it should
never fire on HTTP "GET"...

- -evilghost
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)

iQIcBAEBAgAGBQJMri9cAAoJENgimYXu6xOHGtEQAIjtqnNI5bItxg4fyeeAKdv4
iCjYdB1TyTeSgMhJfm9WPqd97HRJHKWJAzTVT5W8lb89LnegEKCaoJlXzzCp43TN
1pJ/3KzVqHJ0/8IU5pF+r7tGeeOOvejEeXvNqkcpqUxTH+pclV/s4No+xN/N8AZq
8XMwEaYxUMdPekuUJbRjvsqpFB3+X6uVjP7PkrsIEYx5RlLr9S3DVEU15IuR3udW
M1/3gA88sFCUlyVYxrefBRCpN4og4kw7x4lsR/XbpCEcb7swqFfkkWjLNBMfbaIR
NfE+hc9mudG5GMvzeDQAQi2JJbW/t1X9o+5ncBWYujoYvL6xHHAsUY3uiVH6zUzg
LgOJ0KBSRw1YGf2oZwgahMoYCgowxUtSVcqsETNQo0cIzzzig5KJtNl0uTTFtQze
Od2EnnAzNS5fffY/sXsXUtLmJYI5FpuuCeJ10ZVkSeYRLaGSF2QQuOpz0P0WXOvT
DNkrvhUU17loopMeguSJzTHysuLl9/5cFv1s7qGOQ1KaCuGQktpRQkbop9wze3zU
b7guXm2rgC6BXxRgIJ/eBvT/zo3JYc9SuLU9z70r3rOeGGJAYGgQSJuDQaGiTM4y
V+1tbEeJaM5CVfnpXgIpsdgubY0IGswrlcjFjU1xjONimSueM/A46UiKFnOHstLg
B9ombdk0bUipjXDVrYc+
=9XtJ
-----END PGP SIGNATURE-----



More information about the Emerging-sigs mailing list