[Snort-sigs] False positive - sid:2303

Paul Schmehl pauls at ...1311...
Fri Mar 18 13:30:48 EST 2005


--On Friday, March 18, 2005 03:11:33 PM -0600 SRH-Lists 
<giermo at ...1992...> wrote:
>
> Is it possible that the offending content is in the stream and not in
> the packet you are looking at?
>
Probably so.  Unfortunately, we only have a 160GB drive right now, so I 
can't even keep 24 hours of data.  Those stream packets are gone.
>
> If you are getting these alot, try running tcpdump or ethereal or snort
> in packet logging mode (or sguil with log_packets) and take a look at
> the whole stream.  I bet the content is in there someplace.
>
We're running sguil.  That's where I'm getting all this info.

Paul Schmehl (pauls at ...1311...)
Adjunct Information Security Officer
The University of Texas at Dallas
AVIEN Founding Member
http://www.utdallas.edu




More information about the Snort-sigs mailing list