>When we write any rules for HTTP traffic will >there be any issue of false >positive ?
Hi, HTTP rules are prone to false positive as well. For example, there is a vulnerability called as MS dos Device name vulnerability. To prevent this vulnerability, MS Dos Device name like aux, com, lpt needs to be blocked. If your rule is blocking only com, the rule will end up blocking all the .com as well, triggering lot of false positives. Hope it helps Abhi ------------------------------------------------------------------------ Test Your IDS Is your IDS deployed correctly? Find out quickly and easily by testing it with real-world attacks from CORE IMPACT. Go to http://www.coresecurity.com/index.php5?module=Form&action=impact&campaign=intro_sfw to learn more. ------------------------------------------------------------------------
