[Snort-sigs] rule possibly misfiring

Kreimendahl, Chad J Chad.Kreimendahl at ...361...
Mon Jan 27 14:17:04 EST 2003

snort2 both of builds 28 and 49

-----Original Message-----
From: Chris Green [mailto:cmg at ...435...] 
Sent: Monday, January 27, 2003 4:01 PM
To: Kreimendahl, Chad J
Cc: snort-sigs at lists.sourceforge.net
Subject: Re: [Snort-sigs] rule possibly misfiring

"Kreimendahl, Chad J" <Chad.Kreimendahl at ...361...> writes:

> The following rule:
> POLICY FTP 'STOR 1MB' possible warez site  (sid: 543)
> possible warez site"; flow:to_server,established; content:"STOR";
> nocase; content:"1MB"; nocase; distance:1; classtype:misc-activity;
> sid:543; rev:5;)
> Is hitting on the following data: (user/pass/ip:port have been
> modified)

Snort build/version?
Chris Green <cmg at ...435...>
To err is human, to moo bovine.

More information about the Snort-sigs mailing list