[Snort-users] rule meaning

Jerry Shenk jas at ...129...
Tue Oct 17 09:52:39 EDT 2000


That rule is looking for the text "file://" in web traffic.  There are some
web server exploits that try to get a specific file.  If you host a web
server, you probably would want to log the packet if someone tried to do
that on your server and there's not much valid use for that on any web site
so you'll probably get very few hits.

----- Original Message -----
From: "Raphael Bauduin" <rb at ...573...>
To: <snort-users at lists.sourceforge.net>
Sent: Tuesday, October 17, 2000 9:38 AM
Subject: [Snort-users] rule meaning


I guess this will be regarded as a stupid question by some of you, but
what's
the exact purpose of the next rule? Is there a risk by not using it?

alert TCP any any -> any 80 (msg:"WEB-prefix-get file://"; flags: PA;
content:"
get file://"; nocase; )

Thanks!

Raph



--
              ----------------------------------
             |  -°)                        (°-  |
             |  /\\     Linux for ever     //\  |
             | _\_v                        v_/_ |
              ----------------------------------

   If windows is the answer, it must have been a stupid question.
_______________________________________________
Snort-users mailing list
Snort-users at lists.sourceforge.net
http://lists.sourceforge.net/mailman/listinfo/snort-users




More information about the Snort-users mailing list