Snort mailing list archives
Re: false alert
From: waldo kitty <wkitty42 () windstream net>
Date: Fri, 02 Nov 2012 19:21:03 -0400
On 11/2/2012 15:22, Akinwale Fasuru wrote:
Hi, I wrote ths rule to alert when anybody visit www.youtube.com but it does generate alert even when you have anything that has www.youtube.com in it. How can i restrict the alert to only when someone visit the site alert tcp any any -> any any (msg:"Someone is on youtube now!"; flow:from_client; content:"www.youtube.com"; metadata:service http; classtype:policy-violation; priority:10; sid:1000002;rev:1;)
i'm sure you've seen my other two posts on this by now... i wanted to take this moment to point out to you that priorities and class-types might work backwards from what you may think they do... the lower (smaller) the number, the higher the "severity" or the more important it is... 1 is more severe/important than 2... ------------------------------------------------------------------------------ LogMeIn Central: Instant, anywhere, Remote PC access and management. Stay in control, update software, and manage PCs from one command center Diagnose problems and improve visibility into emerging IT issues Automate, monitor and manage. Do more in less time with Central http://p.sf.net/sfu/logmein12331_d2d _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- false alert Akinwale Fasuru (Nov 02)
- Re: false alert waldo kitty (Nov 02)