Signature has generate alert without match with the packet

[Diego Cavalcante Fernandes <diegomusic2000 () yahoo com br>]

Hi,
I have some signatures as example:
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-FRONTPAGE _vti_inf.html access"; 
flow:to_server,established; uricontent:"/_vti_inf.html"; nocase; reference:nessus,11455; 
classtype:web-application-activity; sid:990; rev:9;)

This signature generated some alerts.But the packets that had generated the alert don't have payload, they only have a 
ip and tcp header. How can this packet  generate alert without having the uricontent "/_vi_inf.html" specified in the 
signature ?
 
Obs: I'm using the database output plugin, like this:output database: alert, mysql, user=root dbname=snort 
host=cirene,detail=full
 
this output log all the packet, including payload

 
 

 



                
---------------------------------
Yahoo! Acesso Grátis: Internet rápida e grátis. Instale o discador agora!