Re: Rules & reference (ACID)

["Bruno Gimenes Pereti" <pereti () ump edu br>]

Hi Jeff,

Thank's for answer. I think I didn't express well (my english is horrible).
I was trying to say there is no link in that "[url]". When I wrote [CVE] was
just an example that points me to somewhere, it could be [Bugtraq] or so.
I'll update ACID anyway...
If It don't show me the link I write again...

Thank's.

Bruno Gimenes Pereti.

----- Original Message -----
From: "Jeff Dell" <jdell () activeworx com>
To: "'Bruno Gimenes Pereti'" <pereti () ump edu br>; "'Snort-Users'"
<snort-users () lists sourceforge net>
Sent: Saturday, November 10, 2001 11:01 AM
Subject: RE: [Snort-users] Rules & reference (ACID)


> Bruno,
>
> There is nothing wrong with seeing "[url]" in acid. Take a look at the
> rule that triggered the alert:
>
> alert tcp $EXTERNAL_NET 80 -> $HOME_NET any (msg:"WEB-MISC readme.eml
> autoload attempt"; flags:A+; content:"window.open(\"readme.eml\"";
> nocase; classtype:attempted-user; sid:1290; rev:3;
> reference:url,www.cert.org/advisories/CA-2001-26.html;)
>
> As you an see that the reference points to a url. It is a big difference
> from CVE. CVE's are maintained by MITRE and are directed to the MITRE
> web page. Url's can point to any webpage.
>
> As far as updating your version of Acid. I would make sure you have the
> latest beta which is 17. There have been some changes lately that make
> Acid more stable and feature rich.
>
> Jeff


_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users