Re: msg update for these, please?

[waldo kitty <wkitty42 () windstream net>]

On 9/28/2010 16:13, Jefferson, Shawn wrote:
> Would this rule trigger for a 16-bit DOS MZ executable being requested as well?

actually, yes, 16425 would fire... that and several others as well :?

>   The PE in the alert description could be misleading maybe. It looks like the
> rule only looks for “.exe” in the http_uri, and doesn’t generate any alert by
> itself (just sets a flowbit that is checked by other rules).

you've hit the nail i was aiming at squarely on the head :P

> Actually it looks like 15306 checks for both MZ and PE executables anyway… not
> that big of a deal I guess, everyone knows what it means when you see this alert.

for 15306, yes... the other one doesn't alert, actually... it has 
flowbits:noalert; in it and seems to only set a flowbit indicating that a ".exe" 
string was detected in the HTTP request URI...

------------------------------------------------------------------------------
Start uncovering the many advantages of virtual appliances
and start using them to simplify application deployment and
accelerate your shift to cloud computing.
http://p.sf.net/sfu/novell-sfdev2dev
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users