[Snort-users] uricontent misbehaving?

dan.ellis at ...3983... dan.ellis at ...3983...
Fri Nov 2 10:22:16 EST 2001


I'm not actually a snort user, but I'm trying to respond to a log I was

Date:01/11 18:43:59 Name:WEB-MISC readme.eml attempt
Priority:8 Type:Attempted User Privilege Gain
IP info: xxx.xxx.xxx.xxx:80 -> yyy.yyy.yyy.yyy:62689
References: 1

which apparently came from the rule:

Alert tcp $EXTERNAL_NET 80 -> $HOME_NET any \
    (msg:"WEB-MISC readme.eml attempt"; \
    flags:A+; uricontent:"readme.eml"; nocase; \
    classtype:attempted-user; sid:1284; rev:3; \

(xxx... is our web server.)

I'm not very familiar with snort, but from what I've just read in the
documentation the 'uricontent' bit is supposed to match only on
the URI of requests. However, this was a response packet from our
web server. Of course, several of our pages contain the text "readme.eml",
but I don't see how this rule could have triggered unless it was
mistakenly matching as 'content' instead of 'uricontent'. Has 'uricontent'
been known to misbehave in this way?

Any information greatly appreaciated.


Dan Ellis, Software Engineer                              Sophos Anti-Virus
email: dan.ellis at ...3983...                           http://www.sophos.com
US Support: +1 888 SOPHOS 9                     UK Support: +44 1235 559933

More information about the Snort-users mailing list