Snort mailing list archives
Re[2]: SID 1287
From: Filbert <Filbert () pandora be>
Date: Wed, 6 Nov 2002 17:53:52 +0100
Hello Jens, Wednesday, November 6, 2002, 5:24:23 PM, you wrote: JK> Hi,
They are coming from SID 1287.
JK> http://www.snort.org/snort-db/sid.html?sid=1287 JK> +----------------------------------------------------------------------------+ JK> | SID | 1287 | message | WEB-IIS scripts access | JK> |---------------+------------------------------------------------------------| JK> | Signature | alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS | JK> | | (msg:"WEB-IIS scripts access"; flow:to_server,established; | JK> | | uricontent:"/scripts/"; nocase; | JK> | | classtype:web-application-activity; sid:1287; rev:5;) | JK> |---------------+------------------------------------------------------------|
GET /custx/scrip ts/collection/of
JK> "/scripts/" there :).
Many thanks,
JK> HTH, JK> Jens Yaeh, right. I did found the SID causing the alerts that's not my problem. My question is : WHY should snort alert on this? -- Filbert mailto:Filbert () pandora be ------------------------------------------------------- This sf.net email is sponsored by: See the NEW Palm Tungsten T handheld. Power & Color in a compact size! http://ads.sourceforge.net/cgi-bin/redirect.pl?palm0001en _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- SID 1287 Filbert (Nov 06)
- Re: SID 1287 Jens Krabbenhoeft (Nov 06)
- Re[2]: SID 1287 Filbert (Nov 06)
- Re[2]: SID 1287 Erek Adams (Nov 06)
- Re: SID 1287 Brian (Nov 07)
- Re[2]: SID 1287 Filbert (Nov 06)
- Re: SID 1287 Jens Krabbenhoeft (Nov 06)