Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Rule 17407 produces false positives on Yahoo photo gallery viewer

From: Steve <steve.bachelor () gmail com>
Date: Mon, 1 Oct 2012 16:50:44 -0400

An HTTP GET request included the string [lots of
characters]%3dv.hLPtFJpBs-%2f[lots more characters]

That's obviously not a Windows help file download request. Should I add
a regex to the rule looking for '\.hlp(?![a-zA-Z0-9])'  or something
like that?

------------------------------------------------------------------------------
Don't let slow site performance ruin your business. Deploy New Relic APM
Deploy New Relic app performance management and know exactly
what is happening inside your Ruby, Python, PHP, Java, and .NET app
Try New Relic at no cost today and get our sweet Data Nerd shirt too!
http://p.sf.net/sfu/newrelic-dev2dev
_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-sigs
http://www.snort.org


Please visit http://blog.snort.org for the latest news about Snort!
Previous By Date Next
Previous By Thread Next

Current thread: