False +ves for SQL generic sql update injection attempt 13514

[Russell Fulton <r.fulton () auckland ac nz>]

I'm seeing thousands of FP on this rule -- the one below is doing an  
WSUS update...

Russell

META    
SID     CID     TimeStamp       Signature       Sig ID
6       13220748        2008-04-28 09:44:11     SQL generic sql update injection  
attempt 13514
Sensor Hostname Sensor Interface
monitor-dmzo.isec.auckland.ac.nz        dmz sensor
IP      
Source Address  Dest Address    Ver     Hdr Len TOS     length  ID      flags   offset  TTL      
chksum
130.216.187.147 203.167.223.235 4       5       0       235     19559   2       0       126     50598
Resolved Source Resolved Dest
h-kang-p.sbs.auckland.ac.nz      
a203-167-223-235.deploy.akamaitechnologies.com
TCP     
Source Port     Dest Port       Seq     Ack     Offset  Reserved        Flags   Window  Checksum         
Urgent Ptr
3022    80      1204654794      925584691       5       0       24      65535   8765    0
Options
None
Flags
RB 1    RB 0    URG     ACK     PSH     RST     SYN     FIN
                        X       X                       


DATA    

HEAD /v7/windowsupdate/a/selfupdate/WSUS3/x86/Other/wsus3set
up.cab?0804272144 HTTP/1.1..Accept: */*..User-Agent: Windows
-Update-Agent..Host: download.windowsupdate.com..Connection:
  Keep-Alive....

-------------------------------------------------------------------------
This SF.net email is sponsored by the 2008 JavaOne(SM) Conference 
Don't miss this year's exciting event. There's still time to save $100. 
Use priority code J8TL2D2. 
http://ad.doubleclick.net/clk;198757673;13503038;p?http://java.sun.com/javaone
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users