[Snort-devel] Getting lots of hits on sid:1841

Steve Halligan giermo at ...269...
Wed Sep 4 11:05:07 EDT 2002


Exact same problem here.
Lots of falses (I presume) on this rule, no payload logged.

Snort 1.9b6 (actually post b6 from cvs)
Barnyard (latest from www.snort.org/dl)
mysql
obsd
etc
etc

snort -de -c/etc/snort/snort.conf
to
unified log
to
barnyard
to
mysql

-steve

>
>Russell Fulton <r.fulton at ...1343...> writes:
>
>> Hi,
>> 	I am running 1.9beta6 with current rule sets and I seeming lots
>> (up to dozens per hour from several different servers) of 
>hits on this
>> rule:
>>
>> alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any 
>(msg:"EXPERIMENTAL
>> WEB-CLIENT javascript URL host spoofing attempt";
>> flow:to_client,es\tablished; content:"javascript\://"; nocase;
>> classtype:attempted-user; reference:bugtraq,5293; sid:1841; rev:1;)
>>
>> I strongly suspect that these are false +ves but I can not 
>verify this
>> since snort never logs the packet? I have had this problem with other
>> versions of snort where some rules never log packets but I 
>never got an
>> explaination.
>
>Whats your command line / log output system?
>
>[ follow up to snort-devel ]
>-- 
>Chris Green <cmg at ...402...>
>Warning: time of day goes back, taking countermeasures.
>
>
>
>-------------------------------------------------------
>This sf.net email is sponsored by: OSDN - Tired of that same old
>cell phone?  Get a new here for FREE!
>https://www.inphonic.com/r.asp?r=sourceforge1&refcode1=vs3390
>_______________________________________________
>Snort-devel mailing list
>Snort-devel at lists.sourceforge.net
>https://lists.sourceforge.net/lists/listinfo/snort-devel
>




More information about the Snort-devel mailing list