[Emerging-Sigs] Possible FP 2013437
james.lay at wincofoods.com
Mon Oct 3 18:10:07 EDT 2011
For reduce FP, can you test by adding within like this:
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET
POLICYExecutable served from Amazon S3"; flow:established,to_client;
content:"Server|3A| AmazonS3"; http_header; file_data; content:"MZ";
within:2; distance:0; isdataat:80,relative; content:"PE"; distance:0;...
but need last snort v291. (and default config paf_max: 16384)
Thanks Rmkml...I'll give that a try.
More information about the Emerging-sigs