Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re[2]: SID 1287

From: Filbert <Filbert () pandora be>
Date: Wed, 6 Nov 2002 17:53:52 +0100
Hello Jens,

Wednesday, November 6, 2002, 5:24:23 PM, you wrote:

JK> Hi,


They are coming from SID 1287.


JK> http://www.snort.org/snort-db/sid.html?sid=1287

JK> +----------------------------------------------------------------------------+
JK> |      SID      | 1287        |    message     | WEB-IIS scripts access      |
JK> |---------------+------------------------------------------------------------|
JK> |   Signature   | alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS   |
JK> |               | (msg:"WEB-IIS scripts access"; flow:to_server,established; |
JK> |               | uricontent:"/scripts/"; nocase;                            |
JK> |               | classtype:web-application-activity; sid:1287; rev:5;)      |
JK> |---------------+------------------------------------------------------------|


GET /custx/scrip
ts/collection/of


JK> "/scripts/" there :).


Many thanks,


JK> HTH,
JK>         Jens



Yaeh, right. I did found the SID causing the alerts that's not my
problem.
My question is : WHY should snort alert on this?


-- 
 Filbert                          mailto:Filbert () pandora be



-------------------------------------------------------
This sf.net email is sponsored by: See the NEW Palm 
Tungsten T handheld. Power & Color in a compact size!
http://ads.sourceforge.net/cgi-bin/redirect.pl?palm0001en
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: