Snort mailing list archives
false alarm? do I have preprocessor right?
From: Michael Scheidell <scheidell () secnap net>
Date: Wed, 27 Nov 2002 12:18:39 -0500 (EST)
I appear to be getting a false alarm on [snort/839] WEB-CGI finger access Snort 1.9 FREEBSD 4.7-STABLE rules says: uricontent:"/finger"; http://www.snort.org/snort-db/sid.html?sid=839 payload has this in it: GET /f/1040/759/1h/pic.infospace.com/info.xcite/pics/fingersm.gif 'http://63.240.15.147/f/1040/759/1h/pic.infospace.com/info.xcite/pics/fingersm.gif' Shouldn't /uricontent / finger, basically look for this only? GET /finger Not anything with a leading /finger? snort.conf: preprocessor frag2 preprocessor stream4: noinspect, disable_evasion_alerts, ttl_limit 0 preprocessor stream4_reassemble: noalerts preprocessor http_decode: 80 unicode iis_alt_unicode double_encode \ iis_flip_slash full_whitespace -- Michael Scheidell SECNAP Network Security, LLC Sales: 866-SECNAPNET / (1-866-732-6276) Main: 561-368-9561 / www.secnap.net Looking for a career in Internet security? http://www.secnap.net/employment/ ------------------------------------------------------- This SF.net email is sponsored by: Get the new Palm Tungsten T handheld. Power & Color in a compact size! http://ads.sourceforge.net/cgi-bin/redirect.pl?palm0002en _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- false alarm? do I have preprocessor right? Michael Scheidell (Nov 27)
- Re: false alarm? do I have preprocessor right? Matt Kettler (Nov 27)