What is official policy on submitting FP's? Description and packet
captures? But to what address? Where to send them,?
On 1/10/06, snort-sigs-request@lists.sourceforge.net
<snort-sigs-request@lists.sourceforge.net> wrote:
Send Snort-sigs mailing list submissions to
snort-sigs@lists.sourceforge.net
To subscribe or unsubscribe via the World Wide Web, visit
https://lists.sourceforge.net/lists/listinfo/snort-sigs
or, via email, send a message with subject or body 'help' to
snort-sigs-request@lists.sourceforge.net
You can reach the person managing the list at
snort-sigs-admin@lists.sourceforge.net
When replying, please edit your Subject line so it is more specific
than "Re: Contents of Snort-sigs digest..."
Today's Topics:
1. Re: FPs on community sids 100000118,100000119 (Brian Caswell)
2. Intro (Ureleet Ureleet)
--__--__--
Message: 1
Cc: snort-sigs@lists.sourceforge.net
From: Brian Caswell <bmc@snort.org>
Subject: Re: [Snort-sigs] FPs on community sids 100000118,100000119
Date: Tue, 10 Jan 2006 10:51:14 -0500
To: Jeff Kell <jeff-kell@utc.edu>
On Jan 9, 2006, at 7:57 PM, Jeff Kell wrote:
The original rules are designed to catch a buffer overflow with an
overly long 'Content-type:' or 'Content-encoding:' tag. The current
signatures are looking for those content strings, followed by 200
bytes of [^\r\n]. Several webmail clients are causing FPs on this
sig, the text they actually return is delimited by <br> notation, or
with AOL they are sometimes delimited by the literals "\r\n" (format
string?). At any rate, the expected <cr>/<lf> terminators aren't
there, and the sigs fire.
Can you send an example packet that shows the FP?
Brian
--__--__--
Message: 2
Date: Tue, 10 Jan 2006 11:37:57 -0500
From: Ureleet Ureleet <ureleet@gmail.com>
To: snort-sigs@lists.sourceforge.net
Subject: [Snort-sigs] Intro
------=_Part_2607_22505505.1136911077588
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: quoted-printable
Content-Disposition: inline
Hey all. I've been around Snort for years, but never been on the list.
Just wanted to into myself. Hope to learn, hope to help learn.
------=_Part_2607_22505505.1136911077588
Content-Type: text/html; charset=ISO-8859-1
Content-Transfer-Encoding: quoted-printable
Content-Disposition: inline
<div>Hey all. I've been around Snort for years, but never been on the=
list. Just wanted to into myself. Hope to learn, hope to help =
learn.</div>
<div> </div>
<div> </div>
<div> </div>
<div> </div>
------=_Part_2607_22505505.1136911077588--
--__--__--
_______________________________________________
Snort-sigs mailing list
Snort-sigs@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/snort-sigs
End of Snort-sigs Digest
-------------------------------------------------------
This SF.net email is sponsored by: Splunk Inc. Do you grep through log files
for problems? Stop! Download the new AJAX search engine that makes
searching your log files as easy as surfing the web. DOWNLOAD SPLUNK!
http://ads.osdn.com/?ad_idv37&alloc_id�865&opÌk
_______________________________________________
Snort-sigs mailing list
Snort-sigs@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/snort-sigs
