RE: alert refused to pass

[Jasmine CHUA <Jasmine.Chua () internationalsos com>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

People .. oops! I spotted my mistake. Accidentally put one of the IP address
into INTRA_NET site. 

Sorry! 

Cheers,
Jas

- -----Original Message-----
From: Jasmine CHUA 
Sent: Friday, February 27, 2004 5:42 PM
To: snort-users () lists sourceforge net
Subject: [Snort-users] alert refused to pass



*** PGP Signature Status: bad
*** Signer: Jasmine Chua <jasmine.chua () internationalsos com>
*** Signed: 2/27/2004 5:41:48 PM
*** Verified: 2/27/2004 6:00:15 PM
*** BEGIN PGP VERIFIED MESSAGE ***

Hi all

I have a problem here and hope someone can help me see some light. I have a
pass rule that goes:

pass tcp $INTRA_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC /doc/
access"; flow:to_server,established; uricontent:"/doc/"; nocase;
reference:cve,CVE-1999-0678; reference:bugtraq,318;
classtype:web-application-activity;sid:1000026;rev:1;)

However, I am still seeing traffic and the rule does not work.

My snort.conf :

var INTRA_NET [x.x.x.x/x]

var HTTP_SERVERS [y.y.y.y/y]


And, I did include a "-o" when running snort.

What am I missing here.. :(

Jas 

*** END PGP VERIFIED MESSAGE ***



-----BEGIN PGP SIGNATURE-----
Version: PGP 7.0.1

iQA/AwUBQD8W9f4wcdIw6CVjEQIdtwCgmdxJRvEI8DB3ivdgZiNm0K6el3MAnj/S
JTbl1JcqCeO1NXFlEi9QXmIz
=L5LU
-----END PGP SIGNATURE-----


-------------------------------------------------------
SF.Net is sponsored by: Speed Start Your Linux Apps Now.
Build and deploy apps & Web services for Linux with
a free DVD software kit from IBM. Click Now!
http://ads.osdn.com/?ad_id=1356&alloc_id=3438&op=click
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users