[Snort-devel] NOT content and uricontent="?..." problems in Snort 2.0
bmc at ...835...
Sat Mar 1 13:28:27 EST 2003
On Thu, Feb 27, 2003 at 01:23:57PM -0800, Radek Mista wrote:
> I've been running comparison tests between Snort 1.9 and Snort 2.0 and I
> noticed a couple of problems with Snort 2.0.
> 1) Snort 2.0 did not alert on any rules with NOT content
> (content:!"string"). For example, when run on the same data, Snort 1.9
> reported the following:
> [**] [1:1734:6] FTP USER overflow attempt [**]
> [Classification: Attempted Administrator Privilege Gain] [Priority: 1]
> 05/24-15:38:30.926650 X.X.X.X:61292 -> Y.Y.Y.Y:21
> TCP TTL:126 TOS:0x0 ID:6247 IpLen:20 DgmLen:51 DF
> ***AP*** Seq: 0x859EBD72 Ack: 0xE52E3E23 Win: 0x443F TcpLen: 20
Can you include the payload for these? Its kinda hard to debug content
rules without actual payload.
More information about the Snort-devel