Re: False positives on mysql traffic

["Al Lewis (allewi)" <allewi () cisco com>]

Hello,

        Can you send us the pcap in binary format and the rule that is suspected of alerting incorrectly please?

Albert Lewis
QA Software Engineer
SOURCEfire, Inc. now part of Cisco
9780 Patuxent Woods Drive
Columbia, MD 21046 
Phone: (office) 443.430.7112
Email: allewi () cisco com 


-----Original Message-----
From: For Sinton [mailto:forsin () inbox kg] 
Sent: Monday, April 27, 2015 11:54 PM
To: snort-users () lists sourceforge net
Subject: Re: [Snort-users] False positives on mysql traffic


Hello
here is pcap traffic:
0000000: 41 00 00 00 03 53 45 4c 45 43 54 20 74   5f 5f 30 2e 2a 0a 46 52 4f 4d 20 0a 76  A....SELECT.t__0.*.FROM..v
000001A: 69 65 77 73 5f 76 69 65 77 20 74 5f 5f   30 0a 57 48 45 52 45 20 20 28 6e 61 6d  iews_view.t__0.WHERE..(nam
0000034: 65 20 49 4e 20 20 28 27 70 6f 6c 6c 73   27 29 29 20                             e.IN..('polls')).

----- Исходное сообщение -----
От: snort-users-request () lists sourceforge net
Кому: "forsin" <forsin () inbox kg>
Отправленные: Вторник, 28 Апрель 2015 г 9:52:50
Тема: Welcome to the "Snort-users" mailing list


------------------------------------------------------------------------------
One dashboard for servers and applications across Physical-Virtual-Cloud 
Widest out-of-the-box monitoring support with 50+ applications
Performance metrics, stats and reports that give you Actionable Insights
Deep dive visibility with transaction tracing using APM Insight.
http://ad.doubleclick.net/ddm/clk/290420510;117567292;y
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!