Snort mailing list archives
Fine-tuning a rule
From: Shane Hickey <shane () howsyournetwork com>
Date: 17 May 2002 13:02:24 -0600
Hello, I'm receiving a large amount of false-positives on this rule alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 80 (msg:"WEB-IIS scripts access"; flags:A+; uricontent:"/scripts/"; nocase; classtype:web-application-activity; sid:1287; rev:2;) On all my false positives, the scripts directory is actually beneath another directory /test/. I was wondering if there's a way to pass traffic that is accessing /test/scripts/ and still alert me about any other /scripts/ http traffic? Thanks, Shane _______________________________________________________________ Hundreds of nodes, one monster rendering program. Now thatÂ’s a super model! Visit http://clustering.foundries.sf.net/ _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Fine-tuning a rule Shane Hickey (May 17)
- Re: Fine-tuning a rule Michael Scheidell (May 17)