Snort mailing list archives
WEB-IIS view source via translate header
From: Elena Escolano Torner <eescolano () tissat es>
Date: Mon, 05 Jan 2004 12:08:15 +0100
Good morning everyone, we are using snort Version 2.0.2 (Build 92). We have defined this: var DMZ_GVA_HTTP_NO_TRANSLATE [a.a.a.85,b.b.b.68,c.c.c.3,d.d.d.227] pass tcp $EXTERNAL_NET any -> $DMZ_GVA_HTTP_NO_TRANSLATE $HTTP_PORTS (msg:"WEB-IIS view source via translate header"; flow: to_server,established; content: "Translate|3a| F"; nocase; reference:bugtraq,1578; reference:arachnids,305; classtype:web-application-activity; sid:1000017; rev:1;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS view source via translate header"; flow: to_server,established; content: "Translate|3a| F"; nocase; reference:bugtraq,1578; reference:arachnids,305; classtype:web-application-activity; sid:1042; rev:6;) We have defined the pass rule to avoid some alarms, but unfortunately, we are getting this alarms: 9.84 108 WEB-IIS view source via translate header {TCP} 28 80.58.44.42 -> b.b.b.68 We have also changed the order in which the rules are processed: /usr/sbin/snort -D -i eth1 -m 027 -l /var/log/snort -b -u snort -g snort -o -c /etc/snort/snort.conf Does anyone know what can it be happened? Please answer to: security () infocentre gva es
Attachment:
eescolano.vcf
Description: Card for Elena Escolano Torner
Current thread:
- WEB-IIS view source via translate header Elena Escolano Torner (Jan 05)