[Snort-sigs] sid 882 false positives

Jonathan Norman jnorman at ...1256...
Fri Jul 25 03:30:03 EDT 2003


this rule:

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI
calendar access";flow:to_server,established; uricontent:"/calendar";
nocase; classtype:attempted-recon; sid:882; rev:4;)

triggers quite often on my network. I was wondering why it does not check
for uricontent:"calendar_admin.pl" instead of simply checking for
"/calendar"?

./Johnathan




More information about the Snort-sigs mailing list