[Snort-devel] Re: [Snort-sigs] Getting lots of hits on sid:1841

John Sage jsage at ...1556...
Mon Sep 2 16:30:30 EDT 2002


Russell:

On Tue, Sep 03, 2002 at 10:51:14AM +1200, Russell Fulton wrote:
> Hi,
> 	I am running 1.9beta6 with current rule sets and I seeming lots
> (up to dozens per hour from several different servers) of hits on this
> rule:
> 
> alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPERIMENTAL
> WEB-CLIENT javascript URL host spoofing attempt";
> flow:to_client,es\tablished; content:"javascript\://"; nocase;
> classtype:attempted-user; reference:bugtraq,5293; sid:1841; rev:1;)
> 
> I strongly suspect that these are false +ves but I can not verify this
> since snort never logs the packet? I have had this problem with other
> versions of snort where some rules never log packets but I never got an
> explaination.

I'll jump right in and ask a stupid question:

What are you seeing that lets you know the rule's firing off on some
packets, but that's *not* logging enough about the packet to tell you
anything about it?

Is snort logging any packets in any detail?

How do you have alerting/logging set up in snort.conf?

What am I missing?

/* decides to go back to sleep, now.. */


- John
-- 
"In those days, you could not buy a $2000 200MHz Pentium server."

PGP key:     http://www.finchhaven.com/pages/gpg_pubkey.html
Fingerprint: C493 9F26 05A9 6497 9800  4EF6 5FC8 F23D 35A4 F705




More information about the Snort-devel mailing list