[Snort-users] sudden increase in "Mail Login" matches

Nathan Spande NSpande at ...620...
Wed Nov 29 14:17:21 EST 2000


Hey all,

I noticed recently that when I grabbed the most recent source out of CVS,
that this rule (and the parallel one that checks for PASS) started matching
tons of web traffic.  Very odd indeed.  It looks like these are two of a
very small set of rules that use the "<>" operator.  Any chance that
something recently changed that would have caused that to start ignoring
ports?  It looks like the content always matches (cookies that have USER
fields, you know), but neither port does.

alert tcp !$HOME_NET any <> $HOME_NET 110 (msg:"Mail Login";flags:PA;
content:"USER"; logto:"MAIL";)

I noticed a fix for a "!" problem recently, but applying that fix didn't
take care of this.

Thanks!
Nathan



More information about the Snort-users mailing list