[Snort-sigs] Yahoo, Hotmail, and unauth sigs

Chris Kronberg smil at ...1754...
Fri May 28 10:40:01 EDT 2004


On Fri, 28 May 2004, Matthew Jonkman wrote:

> Date: Fri, 28 May 2004 11:54:09 -0500
> From: Matthew Jonkman <matt at ...2436...>
> To: Nigel Houghton <nigel at ...435...>
> Cc: snort-sigs at lists.sourceforge.net
> Subject: Re: [Snort-sigs] Yahoo, Hotmail, and unauth sigs
>
> Good ideas, all of them. I'm doing them now. Except uri content. When I
> turn that on they don't hit as often. Miss about half. Anyone have an
> idea there?

  I'm not 100% percent sure about the uricontent, but it might be
  connected to the difference between GET and POST requests. I
  suspect that the strings are not found within the POST requests
  as the information is in the header not in the URL/URI.

  Have fun,

                                                           Chris.





More information about the Snort-sigs mailing list