[Snort-sigs] sid 497 commentary

Chris Green cmg at ...26...
Fri Jan 25 18:26:02 EST 2002


alert tcp $HTTP_SERVERS 80 -> $EXTERNAL_NET any
(msg:"ATTACK RESPONSES file copied ok";
content:"1 file(s) copied"; nocase;
flags:A+; classtype:bad-unknown; sid:497; rev:2;)

remove the 1 from "1 file(s) ... " so that this will catch multiple
file copies.
-- 
Chris Green <cmg at ...26...>
To err is human, to moo bovine.




More information about the Snort-sigs mailing list