Snort mailing list archives
SNORT rule with sid:0 - KEMP
From: "Wojcicki, Michal via Snort-sigs" <snort-sigs () lists snort org>
Date: Wed, 8 Dec 2021 10:26:53 +0000
Dear Community, I am using KEMP loadbalancer with SNORT rules applied - now only for gathering logs to adjust false-positives. Since I applied the rule it detects lots of output of type (I changed path here - just to give example): /pathchanged/123456/13_DECCC/aaa/test/somefile.aspx' - Invalid URL specification (sid:0 rev:0) Those paths and files are valid and exist. I see that different .aspx destinations are catched by logs and this rule (sid:0 rev:0). However I cannot find its definition in community.rules - I guess sid:0 is some sort of "default" rule. I also could not find any information about sid:0. Therefore I cannot do anything, or I am missing some knowledge. Can you please tell me more about sid:0 rule? How can I exclude some things from checking (not only .aspx files, I see different entries catched by sid:0 rule) - as all that files are valid and I cannot see this rule definition. I want some rule to bypass that. Community rules that I use in KEMP is: https://www.snort.org/downloads -> Snort v2.9. Best Regards Michal
_______________________________________________ Snort-sigs mailing list Snort-sigs () lists snort org https://lists.snort.org/mailman/listinfo/snort-sigs Please visit http://blog.snort.org for the latest news about Snort! Please follow these rules: https://snort.org/faq/what-is-the-mailing-list-etiquette Visit the Snort.org to subscribe to the official Snort ruleset, make sure to stay up to date to catch the most <a href=" https://snort.org/downloads/#rule-downloads">emerging threats</a>!
Current thread:
- SNORT rule with sid:0 - KEMP Wojcicki, Michal via Snort-sigs (Dec 08)