[Emerging-Sigs] Possible FP 2013437

Lay, James james.lay at wincofoods.com
Mon Oct 3 18:10:07 EDT 2011


Hi James,
For reduce FP, can you test by adding within like this:
  alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET
POLICYExecutable served from Amazon S3"; flow:established,to_client;
content:"Server|3A| AmazonS3"; http_header; file_data; content:"MZ";
within:2; distance:0; isdataat:80,relative; content:"PE"; distance:0;...
but need last snort v291. (and default config paf_max: 16384)
Regards
Rmkml



Thanks Rmkml...I'll give that a try.

James


More information about the Emerging-sigs mailing list