[Snort-sigs] False positives WEB-CGI calendar access
Daniel de Young
daniel at ...1912...
Mon Sep 29 02:06:03 EDT 2003
On Sun, 2003-09-28 at 22:11, Hugo van der Kooij wrote:
> The signature:
> alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI
> calendar access";flow:to_server,established; uricontent:"/calendar";
> nocase; classtype:attempted-recon; sid:882; rev:4;)
> I have not yet figured out a better signature. (If anyone can please share
> your views.)
This rule doesn't seem to be very useful on your network...
If a request to "calender.html" from outside is valid activity, I'd just
comment out the rule.
Am I missing something?
More information about the Snort-sigs