[Snort-sigs] False positives WEB-CGI calendar access

Daniel de Young daniel at ...1912...
Mon Sep 29 02:06:03 EDT 2003


On Sun, 2003-09-28 at 22:11, Hugo van der Kooij wrote:

> The signature:
> 
> alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI 
> calendar access";flow:to_server,established; uricontent:"/calendar"; 
> nocase; classtype:attempted-recon; sid:882;  rev:4;)
> 
> I have not yet figured out a better signature. (If anyone can please share 
> your views.)

This rule doesn't seem to be very useful on your network...  

If a request to "calender.html" from outside is valid activity, I'd just
comment out the rule.

Am I missing something?

-Daniel





More information about the Snort-sigs mailing list