[Snort-devel] Getting lots of hits on sid:1841
r.fulton at ...1343...
Wed Sep 4 09:19:02 EDT 2002
I am running 1.9beta6 with current rule sets and I seeming lots
(up to dozens per hour from several different servers) of hits on this
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPERIMENTAL
classtype:attempted-user; reference:bugtraq,5293; sid:1841; rev:1;)
I strongly suspect that these are false +ves but I can not verify this
since snort never logs the packet? I have had this problem with other
versions of snort where some rules never log packets but I never got an
Anyone got any ideas?
Russell Fulton, Computer and Network Security Officer
The University of Auckland, New Zealand
"It aint necessarily so" - Gershwin
More information about the Snort-devel