[Snort-sigs] A doubt about snort sid 1932

Wang Hui wh2000 at ...2420...
Mon Mar 7 11:33:03 EST 2005


I found that the snort rule 1932 describes :

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI  
rpc-smb.pl access"; flow:to_server,established; uricontent:"/rpc-smb.pl";  
reference:cve,1999-1278; classtype:web-application-activity; sid:1932;  
rev:3;)

But after I searched the detail of rpc-smb.pl,I found nothing relevant to  
it.And in cve:1999-1278 which referrs to this rule,it gives another name  
nlog-smb.pl.

So,I what to know is this rule right,Anyone can help?




More information about the Snort-sigs mailing list