Snort mailing list archives

Re: IDS254 False positive?

From: Bob Bernstein <bob () ruptured-duck com>
Date: Tue, 22 May 2001 20:07:24 -0400

On Tue, May 22, 2001 at 01:37:25PM -0500, Steve Halligan wrote:

This is simply a webserver on port 80 replying to you.  You just happen to
be using the same port the shaft client uses.  These rules stink, 'cause of
just this reason.  They really need content filters.


Interestingly enough, a tad more digging at whitehats revealed this
announcement on the 'protocol details' page

'Content Data 
 Coming soon, this is under construction.'

-- 
Bob Bernstein
at
Esmond, R.I., USA

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
http://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Current thread:

IDS254 False positive? Bob Bernstein (May 22)
- RE: IDS254 False positive? Fernando Cardoso (May 22)
- <Possible follow-ups>
- RE: IDS254 False positive? Steve Halligan (May 22)
  - Re: IDS254 False positive? Bob Bernstein (May 22)