[Snort-devel] Re: [Snort-sigs] Getting lots of hits on sid:1841
jsage at ...1556...
Mon Sep 2 16:30:30 EDT 2002
On Tue, Sep 03, 2002 at 10:51:14AM +1200, Russell Fulton wrote:
> I am running 1.9beta6 with current rule sets and I seeming lots
> (up to dozens per hour from several different servers) of hits on this
> alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPERIMENTAL
> classtype:attempted-user; reference:bugtraq,5293; sid:1841; rev:1;)
> I strongly suspect that these are false +ves but I can not verify this
> since snort never logs the packet? I have had this problem with other
> versions of snort where some rules never log packets but I never got an
I'll jump right in and ask a stupid question:
What are you seeing that lets you know the rule's firing off on some
packets, but that's *not* logging enough about the packet to tell you
anything about it?
Is snort logging any packets in any detail?
How do you have alerting/logging set up in snort.conf?
What am I missing?
/* decides to go back to sleep, now.. */
"In those days, you could not buy a $2000 200MHz Pentium server."
PGP key: http://www.finchhaven.com/pages/gpg_pubkey.html
Fingerprint: C493 9F26 05A9 6497 9800 4EF6 5FC8 F23D 35A4 F705
More information about the Snort-devel