I'm getting dozens of hits a day on IPS rule #16377. Here's a typical log entry:
2011:12:21-06:55:05 fw snort[6883]: id="2101" severity="warn" sys="SecureNet" sub="ips" name="Intrusion protection alert" action="drop" reason="EXPLOIT Internet Explorer DOM mergeAttributes memory corruption attempt" group="320" srcip="216.137.33.105" dstip="192.168.31.17" proto="6" srcport="80" dstport="54956" sid="16377" class="Misc activity" priority="3" generator="3" msgid="0"
The e-mail alert refers me to this URL:
But when I try to go there, SNORT tells me "This rule does not exist in our database." This has been going on for some weeks now. Shouldn't the Up2Date pattern updates have taken care of this problem? Am I missing something?
On the theory that these are false positives based on an obsolete rule, I've figured (I think) how to turn off the notifications in the Advanced tab of the IPS section, but it's too soon to tell if it's working. Is anyone else seeing this problem?
This thread was automatically locked due to age.
