Yes, specially client-side based rules. It's always better to be bit exploit specific. On the server side, chances are less if you write vulnerability specific, or some tactics to prevent false positive.
As abhi specified about the ms dos device name vulnerability, if we block just "com" will trigger FP for requests like "3com" , ".com", "common" etc. So you need to *think* how-to counter it, may be look for a space after 'com' or check no bytes follows after 'com', also keeping in mind various evasions tactics. HTH ------------------------------------------------------------------------ Test Your IDS Is your IDS deployed correctly? Find out quickly and easily by testing it with real-world attacks from CORE IMPACT. Go to http://www.coresecurity.com/index.php5?module=Form&action=impact&campaign=intro_sfw to learn more. ------------------------------------------------------------------------
