[Snort-sigs] proposed change to rule

Chris Green cmg at ...435...
Mon Jan 27 13:43:08 EST 2003


"Kreimendahl, Chad J" <Chad.Kreimendahl at ...361...> writes:

> Ók, global use: AgentX appears to send more than 1 packet in its
> request.  So 1 instance of use of this tool could potentially
> generate several alerts.

I understand that.  I also understand that it's not the first packet
that's important.  If you have AgentX in your environment, can you
create a rule that looks for the username portion of authentication
rather than all the packets.
-- 
Chris Green <cmg at ...435...>
"Yeah, but you're taking the universe out of context."




More information about the Snort-sigs mailing list