|
|
Re: False positive alert: sid:2570: msg#00183security.ids.snort.sigs
On Tue, Oct 26, 2004 at 10:47:31AM -0400, M. Shirk wrote: > I was thinking about maybe adding depth to check the initial HTTP version > but the GET request could be of any length. I am seeing if I can make a > rule to check the initial header and ignore all other HTTP/ strings. > (nnposter might have an idea :-) > > This may be a case where you have to create a pass rule ahead of this rule > to pass that traffic.(of course someone on the list please jump in with a > better solution). Yep, just disable the rule. Brian ------------------------------------------------------- This SF.net email is sponsored by: IT Product Guide on ITManagersJournal Use IT products in your business? Tell us what you think of them. Give us Your Opinions, Get Free ThinkGeek Gift Certificates! Click to find out more http://productguide.itmanagersjournal.com/guidepromo.tmpl |
|
| <Prev in Thread] | Current Thread | [Next in Thread> |
|---|---|---|
| Previous by Date: | RE: False positive alert: sid:2570: 00183, M. Shirk |
|---|---|
| Next by Date: | Re: Bleedingsnort.com Daily Update: 00183, Matt Jonkman |
| Previous by Thread: | RE: False positive alert: sid:2570i: 00183, M. Shirk |
| Next by Thread: | RE: False positive alert: sid:2570: 00183, nnposter |
| Indexes: | [Date] [Thread] [Top] [All Lists] |
| News | FAQ | advertise |