[Snort-devel] Getting lots of hits on sid:1841

Steve Halligan giermo at ...269...
Wed Sep 4 11:05:07 EDT 2002

Exact same problem here.
Lots of falses (I presume) on this rule, no payload logged.

Snort 1.9b6 (actually post b6 from cvs)
Barnyard (latest from www.snort.org/dl)

snort -de -c/etc/snort/snort.conf
unified log


>Russell Fulton <r.fulton at ...1343...> writes:
>> Hi,
>> 	I am running 1.9beta6 with current rule sets and I seeming lots
>> (up to dozens per hour from several different servers) of 
>hits on this
>> rule:
>> alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any 
>> WEB-CLIENT javascript URL host spoofing attempt";
>> flow:to_client,es\tablished; content:"javascript\://"; nocase;
>> classtype:attempted-user; reference:bugtraq,5293; sid:1841; rev:1;)
>> I strongly suspect that these are false +ves but I can not 
>verify this
>> since snort never logs the packet? I have had this problem with other
>> versions of snort where some rules never log packets but I 
>never got an
>> explaination.
>Whats your command line / log output system?
>[ follow up to snort-devel ]
>Chris Green <cmg at ...402...>
>Warning: time of day goes back, taking countermeasures.
>This sf.net email is sponsored by: OSDN - Tired of that same old
>cell phone?  Get a new here for FREE!
>Snort-devel mailing list
>Snort-devel at lists.sourceforge.net

More information about the Snort-devel mailing list