Instead of writing exploit specific rules to prevent false positives, I think it is much better to have an understanding of protocol, and to have a signature or rule which will create a region where other vulnerability specific rules can operate.
------------------------------------------------------------------------ Test Your IDS Is your IDS deployed correctly? Find out quickly and easily by testing it with real-world attacks from CORE IMPACT. Go to http://www.coresecurity.com/index.php5?module=Form&action=impact&campaign=intro_sfw to learn more. ------------------------------------------------------------------------
