[Snort-sigs] Identical rules - sid: 893 and sid: 1722

Brian Jameson tech at ...1160...
Fri Apr 8 05:07:43 EDT 2005


Is there any reason to have both these rules?

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI
MachineInfo access"; flow:to_server,established; uricontent:"/MachineInfo";
nocase; reference:cve,1999-1067; classtype:attempted-recon; sid:893; rev:7;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI
MachineInfo access"; flow:to_server,established; uricontent:"/MachineInfo";
nocase; reference:cve,1999-1067; classtype:web-application-activity;
sid:1722; rev:6;)

regards,
Brian





More information about the Snort-sigs mailing list