Re: false alert

[waldo kitty <wkitty42 () windstream net>]

On 11/2/2012 15:22, Akinwale Fasuru wrote:
> Hi,
> I wrote ths rule to alert when anybody visit www.youtube.com but it does generate alert even when you have anything 
> that has www.youtube.com in it. How can i restrict the alert to only when someone visit the site
>
> alert tcp any any ->  any any (msg:"Someone is on youtube now!"; flow:from_client; content:"www.youtube.com"; 
> metadata:service http; classtype:policy-violation; priority:10; sid:1000002;rev:1;)


i'm sure you've seen my other two posts on this by now... i wanted to take this 
moment to point out to you that priorities and class-types might work backwards 
from what you may think they do... the lower (smaller) the number, the higher 
the "severity" or the more important it is... 1 is more severe/important than 2...


------------------------------------------------------------------------------
LogMeIn Central: Instant, anywhere, Remote PC access and management.
Stay in control, update software, and manage PCs from one command center
Diagnose problems and improve visibility into emerging IT issues
Automate, monitor and manage. Do more in less time with Central
http://p.sf.net/sfu/logmein12331_d2d
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!