Snort mailing list archives
RE: Rules & reference (ACID)
From: "Jeff Dell" <jdell () activeworx com>
Date: Sat, 10 Nov 2001 08:01:37 -0500
Bruno, There is nothing wrong with seeing "[url]" in acid. Take a look at the rule that triggered the alert: alert tcp $EXTERNAL_NET 80 -> $HOME_NET any (msg:"WEB-MISC readme.eml autoload attempt"; flags:A+; content:"window.open(\"readme.eml\""; nocase; classtype:attempted-user; sid:1290; rev:3; reference:url,www.cert.org/advisories/CA-2001-26.html;) As you an see that the reference points to a url. It is a big difference from CVE. CVE's are maintained by MITRE and are directed to the MITRE web page. Url's can point to any webpage. As far as updating your version of Acid. I would make sure you have the latest beta which is 17. There have been some changes lately that make Acid more stable and feature rich. Jeff
-----Original Message----- From: snort-users-admin () lists sourceforge net [mailto:snort-users-admin () lists sourceforge net] On Behalf Of Bruno Gimenes Pereti Sent: Saturday, November 10, 2001 6:26 AM To: Snort-Users Subject: [Snort-users] Rules & reference (ACID) Hi All, I updated to Snort 1.8.2 from the rpm avalible in www.snort.com and I'm using the rules that > comes with it. I've got some attempts of "WEB-MISC readme.eml autoload attempt" and ACID report shows: "[url] WEB-MISC readme.eml autoload attempt". I mean... Shouldn't the be something like [CVE] with the link to the www.cert.org page? I'm using ACID v0.9.6 with schema 104. Do I need to update my ACID? Thank's. Bruno Gimenes Pereti. _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/s> nort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Rules & reference (ACID) Bruno Gimenes Pereti (Nov 10)
- RE: Rules & reference (ACID) Jeff Dell (Nov 10)
- Re: Rules & reference (ACID) Bruno Gimenes Pereti (Nov 10)
- <Possible follow-ups>
- RE: Rules & reference (ACID) Marc-Andre Hamelin (Nov 10)
- RE: Rules & reference (ACID) roman (Nov 17)
- RE: Rules & reference (ACID) Jeff Dell (Nov 10)