|
|
Re: Signature false positive update #2590: msg#00090security.ids.snort.sigs
> False Positives: Any time a message contains "MAIL FROM" in any part of the > body this rule will trigger. The words "email from" are extremely common in > disclaimers and bulk ads. Any large site will see false positives on this > signature thousands of times per week. Can you try this change at let me know if it solves some of your false positives please? replace this: content:"MAIL FROM"; nocase; isdataat:260; content:!"|0A|"; within:256; with this: content:"MAIL"; nocase; isdataat:260; pcre:"/^MAIL\s+FROM[^\n]{256}/smi"; thanks, Brian ------------------------------------------------------- This SF.net email is sponsored by: IT Product Guide on ITManagersJournal Use IT products in your business? Tell us what you think of them. Give us Your Opinions, Get Free ThinkGeek Gift Certificates! Click to find out more http://productguide.itmanagersjournal.com/guidepromo.tmpl |
|
| <Prev in Thread] | Current Thread | [Next in Thread> |
|---|---|---|
| Previous by Date: | Re: Additional false positive for 1:1882 and 1:1292: 00090, Brian |
|---|---|
| Next by Date: | Re: WEB-MISC SSLv3 invalid Client_Hello attempt: 00090, Brian |
| Previous by Thread: | Signature false positive update #2590i: 00090, Smargiassi William |
| Next by Thread: | Re: Signature false positive update #2590: 00090, stephane nasdrovisky |
| Indexes: | [Date] [Thread] [Top] [All Lists] |
| News | FAQ | advertise |