03-23-2006 07:10 AM - edited 03-10-2019 01:56 AM
Has anyone else been seeing large occurences of this signature from what appears to be normal web application/browsing activity? No further tuning of the sig has been performed.
03-23-2006 11:07 AM
Just waiting on the tuned sig - I hope, I hope, I hope. If it doesn't come soon, we'll have to filter it or turn it off.
03-24-2006 07:36 AM
If you are seeing that signature firing, that means you or your users are browsing a web page including more than 2000 script action handlers.
That is possible but shouldn't be so common. I'd suggest to increase the Event Count value to something bigger.
The risk in this case would be to miss a real attack.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide