Snort mailing list archives

Re: http-inspect sig id Snort Alert 21

From: Nigel Houghton <nhoughton () sourcefire com>
Date: Fri, 16 Apr 2010 08:38:36 -0400

On Thu, Apr 15, 2010 at 11:10 PM, Russell Fulton
<r.fulton () auckland ac nz> wrote:

I am seeing several of these on various snort sensors

Snort Alert [119:21:0]

so far as I can see the latest gen-sig.map goes up to 119:18...

Any idea what these are?



Russell Fulton

Information Security Officer, The University of Auckland
New Zealand




------------------------------------------------------------------------------
Download Intel&#174; Parallel Studio Eval
Try the new software tools for yourself. Speed compiling, find bugs
proactively, and fine-tune applications for parallel performance.
See why Intel Parallel Studio got high marks during beta.
http://p.sf.net/sfu/intel-sw-dev
_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-sigs


Yes, it is "MULTIPLE CONTENT LENGTH HEADER FIELDS".

There's an updated gen-msg.map going out with Snort 2.8.6 next week.

-- 
Nigel Houghton
Head Mentalist
SF VRT
http://vrt-sourcefire.blogspot.com && http://labs.snort.org/

------------------------------------------------------------------------------
Download Intel&#174; Parallel Studio Eval
Try the new software tools for yourself. Speed compiling, find bugs
proactively, and fine-tune applications for parallel performance.
See why Intel Parallel Studio got high marks during beta.
http://p.sf.net/sfu/intel-sw-dev
_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-sigs

Current thread:

http-inspect sig id Snort Alert 21 Russell Fulton (Apr 15)
- Re: http-inspect sig id Snort Alert 21 Nigel Houghton (Apr 16)