The WEB-IIS header field buffer overflow attempt alerts are all associated with traffic that was generated by Internet Explorer (see User-Agent field in HTTP request). However, a lot of this traffic is gibberish again. We think that this might be images or zipped content embedded in the HTTP connections! For the traffic which is legible, we found that firstly, the snort the triggering on a false positive. The traffic revealed some absolutely benign HTTP requests. The snort rule is very weak and only checks whether three specific bytes are in the HTTP traffic. Secondly, we concluded that the traffic does not indicate automated or scripted behavior. The detection as automated behavior is merely a statistical failure due to the vast amount of HTTP traffic in the logs.