Snort mailing list archives
Re: Snort weird behaviour
From: Joel Esler <jesler () sourcefire com>
Date: Sun, 26 Aug 2012 08:09:38 -0400
Sounds more like a logging problem. ? -- Joel Esler On Aug 26, 2012, at 2:37 AM, Balasubramaniam Natarajan <bala150985 () gmail com> wrote:
On Sun, Aug 26, 2012 at 1:55 AM, waldo kitty <wkitty42 () windstream net> wrote:what rule?Rule is something like this. alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"Looking for POST"; flow:established,to_server; content:"POST"; http_method; content:"xxxxyyyyzzzzz"; sid: xxxxxxxx; rev:1)do you have a pcap?I don't have a PCAP, however when I see the payload section of this alert in Base, I can clearly see that it is GET xxxxyyyyzzzzz host: aaaabbbbcccc.com------------------------------------------------------------------------------ Live Security Virtual Conference Exclusive live event will cover all the ways today's security and threat landscape has changed and how IT managers can respond. Discussions will include endpoint security, mobile security and the latest in malware threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/ _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!-- Regards, Balasubramaniam Natarajan www.etutorshop.com/moodle/ ------------------------------------------------------------------------------ Live Security Virtual Conference Exclusive live event will cover all the ways today's security and threat landscape has changed and how IT managers can respond. Discussions will include endpoint security, mobile security and the latest in malware threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/ _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
------------------------------------------------------------------------------ Live Security Virtual Conference Exclusive live event will cover all the ways today's security and threat landscape has changed and how IT managers can respond. Discussions will include endpoint security, mobile security and the latest in malware threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- Snort weird behaviour Balasubramaniam Natarajan (Aug 25)
- Re: Snort weird behaviour waldo kitty (Aug 25)
- Re: Snort weird behaviour Balasubramaniam Natarajan (Aug 25)
- Re: Snort weird behaviour Joel Esler (Aug 26)
- Re: Snort weird behaviour Balasubramaniam Natarajan (Aug 25)
- Re: Snort weird behaviour Joel Esler (Aug 25)
- Re: Snort weird behaviour waldo kitty (Aug 25)