[Snort-sigs] Re: bleedingsnort PNG rule 2001203 FP?

Federico Petronio petrus at ...2312...
Tue Aug 24 08:45:02 EDT 2004


Federico Petronio wrote:

> I found that, if I surf in MySQL site:
> 
> http://66.35.250.190/
> 
> the rule 2001203 generate alerts (5 for each full refresh). After 
> looking the source, I found only 3 pngs in the page, and none of those 
> triggers the rule by itself, but the all page does. I really don't 
> understand why this happens. Anyone could explains this?

Ok, finally with help of tcpdump I found the PNG that triggers the rule, 
  the URL is:

http://66.35.250.190/common/img/gray1.png

This PNG triggers the rule 2001203, in my previus mail are the payload 
detals.

-- 
                                         Federico Petronio
                                         petrus at ...2312...




More information about the Snort-sigs mailing list