Re[2]: SID 1287

[Erek Adams <erek () theadamsfamily net>]

On Wed, 6 Nov 2002, Filbert wrote:

> Yaeh, right. I did found the SID causing the alerts that's not my
> problem.
> My question is : WHY should snort alert on this?

Ok, lets look at the rule:

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS
scripts access"; flow:to_server,established; uricontent:"/scripts/";
nocase; classtype:web-application-activity; sid:1287;  rev:5;)

That will translate to:  If snort sees a packet that is from the
EXTERNAL_NET to the HTTP_SERVERS on a/the HTTP_PORTS that is an
established connection 'to the server' that happens to have "/scripts/" in
it, then fire this alert.

Now that rule is from the 1.9/2.0 CVS.  You don't mention your version, so
I'm guessing that you are using the most current (1.9.0).  If you are not,
then the old rule might have used the 'flags: A+' keyword instead of
the 'flow:' keyword which would have triggered on any packet with
"/scripts/" in its content that had the ACK (and any other) bit set.

Cheers!

-----
Erek Adams
Nifty-Type-Guy
TheAdamsFamily.Net



-------------------------------------------------------
This sf.net email is sponsored by: See the NEW Palm 
Tungsten T handheld. Power & Color in a compact size!
http://ads.sourceforge.net/cgi-bin/redirect.pl?palm0001en
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users