Snort mailing list archives
Re: MS12-063 Rule Triggering
From: JJC <cummingsj () gmail com>
Date: Thu, 13 Dec 2012 08:07:56 -0700
Joe, There are any number of reasons for this to not fire.. I assume that you are talking about sid:24212 ? 1: Is the sensor seeing the traffic (have you done a TCPDUMP etc to validate this 2: is the sensor also the target system or is it on a span (if it is the target run with k none) 3: in the case that you do have a pcap, have you verified that the attack traffic matches what the rule is looking for? 4: there are options in the http inspect preproc that may cause this.. ala how deep in the packet you are inspecting etc... JJC On Wed, Dec 12, 2012 at 3:45 PM, Kochen, Joe <joe.kochen () americo com> wrote:
MS12-063
------------------------------------------------------------------------------ LogMeIn Rescue: Anywhere, Anytime Remote support for IT. Free Trial Remotely access PCs and mobile devices and provide instant support Improve your efficiency, and focus on delivering more value-add services Discover what IT Professionals Know. Rescue delivers http://p.sf.net/sfu/logmein_12329d2d _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- MS12-063 Rule Triggering Kochen, Joe (Dec 13)
- Re: MS12-063 Rule Triggering JJC (Dec 13)