Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: WebDAV

From: Erek Adams <erek () theadamsfamily net>
Date: Wed, 6 Nov 2002 14:33:11 -0800 (PST)
On Wed, 6 Nov 2002, Yaakov Yehudi wrote:


Can anyone tell me if the WebDAV file lock alert can be triggered by
anything other than an intentional attempt to lock a file for editing etc.

Some ISPs have offered a range of  reasons for this alert - including:
"worms";
"our client has no idea what you are talking about";
and ... "Apparently, normal traffic is causing your alarm to sound. If you
click on the animated banner to the right of the "NFC News First Class"
logo, on this site: http://www.nfc.co.il/04-11-2002.html?04-21-11.  It
evidently triggers your alarm. We investigated this from our customer
behavior, and no wrong doing has occurred."

I'll be grateful to hear your replies. I'm quite puzzled.


Well....  For one, I'm not 100% sure what rule you are talking about.
I'm going to guess you are refering to one of the follwing SID's:

        969
        1070
        1079

Depending on which one, other content could be triggering it.  Check the
packet dump vs. the rule and see what made it fire.

You might be better off posting this to the snort-sigs list as that's
where the 'sig geeks' tend to hang out.  ;-)

Cheers!

-----
Erek Adams
Nifty-Type-Guy
TheAdamsFamily.Net



-------------------------------------------------------
This sf.net email is sponsored by: See the NEW Palm 
Tungsten T handheld. Power & Color in a compact size!
http://ads.sourceforge.net/cgi-bin/redirect.pl?palm0001en
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: