[Snort-sigs] Snort Signaturte option, byte_test and byte_jump
amorelle.ong at ...502...
Mon Apr 21 07:24:01 EDT 2003
Can somebody help to find out what is the equivalent option of
byte_test and byte_jump in snort 1.9.1 engine. The Snort 1.9.1 does not
support byte_test and byte_jump. But I am still using snort 1.9.1 and my
signature is the latest one.
From: snort-sigs-admin at lists.sourceforge.net
[mailto:snort-sigs-admin at lists.sourceforge.net]On Behalf Of Scott,
Sent: Wednesday, April 16, 2003 6:04 AM
To: 'snort-sigs at ...198...'
Subject: [Snort-sigs] SID 1042 and WebDAV
I'm getting bombarded by alerts from SID 1042 - "WEB-IIS view source via
translate header". According to the info on Arachnids, false positives
may be generated due to WebDAV requests. There seem to be a lot of
instances of legitimate WebDAV requests (or so I think). I've found
that Outlook Express communication with Hotmail, Outlook Web Access(OWA)
client communication, and even OWA communication between servers uses
WebDAV. We're a very large Exchange shop (hundreds of servers across
the globe) so creating a pass rule or BPF filter at each sensor would be
an administrative nightmare.
I'd like to look into any possible alternatives before disabling the
sig. Can anyone offer any insight? Am I correct that
Exchange/OWA/Outlook Express uses WebDAV? How do other Exchange shops
running Snort handle this sig? Do most people leave this sig enabled?
Security Architect, CISSP
NOTICE - This communication may contain confidential and privileged
information that is for the sole use of the intended recipient. Any
copying or distribution of, or reliance on this message by unintended
recipients is strictly prohibited. If you have received this message in
error, please notify us immediately by replying to the message and
it from your computer.
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Snort-sigs