Snort mailing list archives
Re: Signature has generate alert without match with the packet
From: Joel Esler <joel.esler () sourcefire com>
Date: Fri, 26 Aug 2005 08:42:24 -0400
Are you using Barnyard? Joel Esler Sourcefire On Aug 26, 2005, at 8:34 AM, Diego Cavalcante Fernandes wrote:
Hi, I have some signatures as example:alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB- FRONTPAGE _vti_inf.html access"; flow:to_server,established; uricontent:"/_vti_inf.html"; nocase; reference:nessus,11455; classtype:web-application-activity; sid:990; rev:9;)This signature generated some alerts.But the packets that had generated the alert don't have payload, they only have a ip and tcp header. How can this packet generate alert without having the uricontent "/_vi_inf.html" specified in the signature ?Obs: I'm using the database output plugin, like this:output database: alert, mysql, user=root dbname=snort host=cirene,detail=fullthis output log all the packet, including payloadYahoo! Acesso Grátis: Internet rápida e grátis. Instale o discador agora!
Current thread:
- Signature has generate alert without match with the packet Diego Cavalcante Fernandes (Aug 26)
- Re: Signature has generate alert without match with the packet Joel Esler (Aug 26)