[Snort-sigs] [1:971:1] incorrect classtype

Brian Caswell bmc at ...8...
Tue Aug 21 23:16:26 EDT 2001

Jörgen Persson wrote:
> [1:971:1] states the classtype attempted-recon. According to the
> references[1] attemted-admin seems more correct.

I disagree. 

This is for the .printer attempt.  Its just .printer in a url.  Looking
for .printer can be bad... but its just recon.  If you  included a dsize
(looking for an overflow) then you can say that is an admin attempt.

Brian Caswell
The MITRE Corporation

More information about the Snort-sigs mailing list