IDS mailing list archives

Re: HTTP traffic

From: abhicc285 () gmail com
Date: 18 Jul 2007 03:42:49 -0000

When we write any rules for HTTP traffic will >there be any issue of false positive ?



Hi,

 HTTP rules are prone to false positive as well. For example, there is a vulnerability called as MS dos Device name 
vulnerability.  To prevent this vulnerability, MS Dos Device name like aux, com, lpt needs to be blocked. If your rule 
is blocking only com, the rule will end up blocking all the .com as well, triggering lot of false positives.

Hope it helps
Abhi

------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it 
with real-world attacks from CORE IMPACT.
Go to http://www.coresecurity.com/index.php5?module=Form&action=impact&campaign=intro_sfw 
to learn more.
------------------------------------------------------------------------

Current thread:

HTTP traffic nj006 (Jul 17)
- <Possible follow-ups>
- RE: HTTP traffic Pachulski, Keith (Jul 17)
- Re: HTTP traffic abhicc285 (Jul 18)