Snort mailing list archives
Alert with bug?
From: Diego Cavalcante Fernandes <diegomusic2000 () yahoo com br>
Date: Wed, 24 Aug 2005 11:59:49 -0300 (ART)
Hi, I have some signatures as example: alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-FRONTPAGE _vti_inf.html access"; flow:to_server,established; uricontent:"/_vti_inf.html"; nocase; reference:nessus,11455; classtype:web-application-activity; sid:990; rev:9;) This signature generated some alerts.But the packets that had generated the alert don't have payload, they only have a ip and tcp header. How can this packet generate alert without having the uricontent "/_vi_inf.html" specified in the signature ? --------------------------------- Yahoo! Acesso Grátis: Internet rápida e grátis. Instale o discador agora!
Current thread:
- Advantages of Snort IDS over eTrust IDS Giri Vardhan Valluru (Aug 24)
- Re: Advantages of Snort IDS over eTrust IDS M Raju (Aug 24)
- Alert with bug? Diego Cavalcante Fernandes (Aug 24)
- Snort-Inline, IPTables and Performance Matt Linton (Aug 24)
- Re: Snort-Inline, IPTables and Performance Will Metcalf (Aug 25)
- Re: Snort-Inline, IPTables and Performance Matt Linton (Aug 25)
- Re: Advantages of Snort IDS over eTrust IDS M Raju (Aug 24)