Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Fine-tuning a rule

From: Shane Hickey <shane () howsyournetwork com>
Date: 17 May 2002 13:02:24 -0600
Hello,
        I'm receiving a large amount of false-positives on this rule

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 80 (msg:"WEB-IIS scripts
access"; flags:A+; uricontent:"/scripts/"; nocase;
classtype:web-application-activity; sid:1287; rev:2;)

        On all my false positives, the scripts directory is actually beneath
another directory /test/.  I was wondering if there's a way to pass
traffic that is accessing /test/scripts/ and still alert me about any
other /scripts/ http traffic?

Thanks,

Shane


_______________________________________________________________

Hundreds of nodes, one monster rendering program.
Now thatÂ’s a super model! Visit http://clustering.foundries.sf.net/
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: