[Snort-sigs] Need a little help over here...
mark at ...410...
Wed Mar 6 12:00:18 EST 2002
I am a little new to creating rules and I was wondering if I could get a
little help. I have an issue with a snort sensor sending out traffic to
a secured site and receiving a "web-misc 403 forbidden". I haven't been
able to figure out why that computer is going to the site, so I haven't
been able to stop the traffic. I was wondering if I could create a
"pass" rule that would allow me to get rid of those alerts. The
original rule is:
alert tcp $HTTP_SERVERS 80 -> $EXTERNAL_NET any (msg:"WEB-MISC 403
Forbidden";flags: A+; content:"HTTP/1.1 403";
depth:12;classtype:attempted-recon; sid:1201; rev:2;)
(Rule that I am creating)
pass tcp $HTTP_SERVERS 80 -> x.x.x.x any(IP Of Secured Site?)
(msg:"WEB-MISC 403 Forbidden";flags: A+; content:"HTTP/1.1 403";
depth:12; classtype:attempted-recon; sid:1201; rev:2;)
I believe I would need to run snort with the -o switch configured, is
Looking it over again, I think I am even more confused? Which side of
the "->" is my sensor, and which side is information coming from the
website? Please help, my head hurts...
More information about the Snort-sigs