Hi, List Sometimes there is no :intruder-port in (TCP|UDP)_Port_Scan signature details and without :reason too. Why? As I mentioned before, I faced with a great number of false positives (I think so) with HTTP replies from Web-sites: all highly-loaded web-servers scan my HTTP-proxy. It's easy to investigate if :intruder-port and :reason are shown in details, but when they didn't present... So, my question is why sometimes we see :intruder-port and :reason and sometimes not? Is it because sometimes :intruder-port is one and it could be specified in details and sometimes :intruder-port is different for different probes, so it can't be specified? How can I influence on appearance of :intruder-port ? Can I somehow correlate :intruder-port with XXP_Port_Scan triggering (i.e. if :intruder-port is 80 and tere is no :reason, port scan signature is not triggering) ?
Tanks. --- Best regards, Sergey V. Soldatov. Information security department. _______________________________________________ ISSForum mailing list ISSForum@iss.net TO UNSUBSCRIBE OR CHANGE YOUR SUBSCRIPTION, go to https://atla-mm1.iss.net/mailman/listinfo/issforum To contact the ISSForum Moderator, send email to [EMAIL PROTECTED] The ISSForum mailing list is hosted and managed by Internet Security Systems, 6303 Barfield Road, Atlanta, Georgia, USA 30328.