[Snort-sigs] Yahoo, Hotmail, and unauth sigs
smil at ...1754...
Fri May 28 10:40:01 EDT 2004
On Fri, 28 May 2004, Matthew Jonkman wrote:
> Date: Fri, 28 May 2004 11:54:09 -0500
> From: Matthew Jonkman <matt at ...2436...>
> To: Nigel Houghton <nigel at ...435...>
> Cc: snort-sigs at lists.sourceforge.net
> Subject: Re: [Snort-sigs] Yahoo, Hotmail, and unauth sigs
> Good ideas, all of them. I'm doing them now. Except uri content. When I
> turn that on they don't hit as often. Miss about half. Anyone have an
> idea there?
I'm not 100% percent sure about the uricontent, but it might be
connected to the difference between GET and POST requests. I
suspect that the strings are not found within the POST requests
as the information is in the header not in the URL/URI.
More information about the Snort-sigs