![snort logo](/images/snort-logo.png)
Snort mailing list archives
Re[2]: SID 1287
From: Erek Adams <erek () theadamsfamily net>
Date: Wed, 6 Nov 2002 14:50:46 -0800 (PST)
On Wed, 6 Nov 2002, Filbert wrote:
Yaeh, right. I did found the SID causing the alerts that's not my problem. My question is : WHY should snort alert on this?
Ok, lets look at the rule: alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS scripts access"; flow:to_server,established; uricontent:"/scripts/"; nocase; classtype:web-application-activity; sid:1287; rev:5;) That will translate to: If snort sees a packet that is from the EXTERNAL_NET to the HTTP_SERVERS on a/the HTTP_PORTS that is an established connection 'to the server' that happens to have "/scripts/" in it, then fire this alert. Now that rule is from the 1.9/2.0 CVS. You don't mention your version, so I'm guessing that you are using the most current (1.9.0). If you are not, then the old rule might have used the 'flags: A+' keyword instead of the 'flow:' keyword which would have triggered on any packet with "/scripts/" in its content that had the ACK (and any other) bit set. Cheers! ----- Erek Adams Nifty-Type-Guy TheAdamsFamily.Net ------------------------------------------------------- This sf.net email is sponsored by: See the NEW Palm Tungsten T handheld. Power & Color in a compact size! http://ads.sourceforge.net/cgi-bin/redirect.pl?palm0001en _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- SID 1287 Filbert (Nov 06)
- Re: SID 1287 Jens Krabbenhoeft (Nov 06)
- Re[2]: SID 1287 Filbert (Nov 06)
- Re[2]: SID 1287 Erek Adams (Nov 06)
- Re: SID 1287 Brian (Nov 07)
- Re[2]: SID 1287 Filbert (Nov 06)
- Re: SID 1287 Jens Krabbenhoeft (Nov 06)