Snort mailing list archives
Re: Why would my server trigger rule Sid 17487
From: "Al Lewis (allewi)" <allewi () cisco com>
Date: Tue, 10 Feb 2015 10:16:17 +0000
It would be really helpful to have a pcap to determine if the rule is a false positive or not. The rule was written for an issue with IE 6 on Windows XP according to the documentation. XP has long been dead and the current IE version is 11. Maybe you have users trying to connect with old machines/outdated browsers? Albert Lewis QA Software Engineer SOURCEfire, Inc. now part of Cisco 9780 Patuxent Woods Drive Columbia, MD 21046 Phone: (office) 443.430.7112 Email: allewi () cisco com -----Original Message----- From: Kelly D. Leavitt [mailto:kelly () lion com] Sent: Monday, February 09, 2015 4:29 PM To: snort-users () lists sourceforge net Subject: Re: [Snort-users] Why would my server trigger rule Sid 17487 No. Since I don't use snort nor pcap for ips it would take some time to gather this information. A customer is reporting this rule trigger. We have quite a few customers in our training every day for several years and this is the first we've heard of this issue. -----Original Message----- From: Al Lewis (allewi) [mailto:allewi () cisco com] Sent: Monday, February 09, 2015 4:27 PM To: Kelly D. Leavitt; snort-users () lists sourceforge net Subject: RE: Why would my server trigger rule Sid 17487 Hello, Would you happen to have some sample traffic in pcap format for review? Albert Lewis QA Software Engineer SOURCEfire, Inc. now part of Cisco 9780 Patuxent Woods Drive Columbia, MD 21046 Phone: (office) 443.430.7112 Email: allewi () cisco com -----Original Message----- From: Kelly D. Leavitt [mailto:kelly () lion com] Sent: Monday, February 09, 2015 4:16 PM To: snort-users () lists sourceforge net Subject: [Snort-users] Why would my server trigger rule Sid 17487 We have a customer complaining that our online training is triggering packet loss due to https://www.snort.org/rule_docs/17487 What could be triggering this alert? Thanks, Kelly Leavitt Computer Specialist Lion Technology Inc. ------------------------------------------------------------------------------ Dive into the World of Parallel Programming. The Go Parallel Website, sponsored by Intel and developed in partnership with Slashdot Media, is your hub for all things parallel software development, from weekly thought leadership blogs to news, videos, case studies, tutorials and more. Take a look and join the conversation now. http://goparallel.sourceforge.net/ _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news! ------------------------------------------------------------------------------ Dive into the World of Parallel Programming. The Go Parallel Website, sponsored by Intel and developed in partnership with Slashdot Media, is your hub for all things parallel software development, from weekly thought leadership blogs to news, videos, case studies, tutorials and more. Take a look and join the conversation now. http://goparallel.sourceforge.net/ _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news! ------------------------------------------------------------------------------ Dive into the World of Parallel Programming. The Go Parallel Website, sponsored by Intel and developed in partnership with Slashdot Media, is your hub for all things parallel software development, from weekly thought leadership blogs to news, videos, case studies, tutorials and more. Take a look and join the conversation now. http://goparallel.sourceforge.net/ _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- Why would my server trigger rule Sid 17487 Kelly D. Leavitt (Feb 09)
- Re: Why would my server trigger rule Sid 17487 Al Lewis (allewi) (Feb 09)
- Re: Why would my server trigger rule Sid 17487 Kelly D. Leavitt (Feb 09)
- Re: Why would my server trigger rule Sid 17487 Al Lewis (allewi) (Feb 10)
- Re: Why would my server trigger rule Sid 17487 Kelly D. Leavitt (Feb 09)
- Re: Why would my server trigger rule Sid 17487 Al Lewis (allewi) (Feb 09)