[Snort-users] Rules & reference (ACID)

Jeff Dell jdell at ...1095...
Sat Nov 10 05:01:02 EST 2001


Bruno,

There is nothing wrong with seeing "[url]" in acid. Take a look at the
rule that triggered the alert:

alert tcp $EXTERNAL_NET 80 -> $HOME_NET any (msg:"WEB-MISC readme.eml
autoload attempt"; flags:A+; content:"window.open(\"readme.eml\"";
nocase; classtype:attempted-user; sid:1290; rev:3;
reference:url,www.cert.org/advisories/CA-2001-26.html;)

As you an see that the reference points to a url. It is a big difference
from CVE. CVE's are maintained by MITRE and are directed to the MITRE
web page. Url's can point to any webpage.

As far as updating your version of Acid. I would make sure you have the
latest beta which is 17. There have been some changes lately that make
Acid more stable and feature rich.

Jeff

> -----Original Message-----
> From: snort-users-admin at lists.sourceforge.net 
> [mailto:snort-users-admin at lists.sourceforge.net] On Behalf Of 
> Bruno Gimenes Pereti
> Sent: Saturday, November 10, 2001 6:26 AM
> To: Snort-Users
> Subject: [Snort-users] Rules & reference (ACID)
> 
> 
> Hi All,
> 
> I updated to Snort 1.8.2 from the rpm avalible in 
> www.snort.com and I'm using the rules that > comes with it. 
> I've got some attempts of "WEB-MISC readme.eml autoload 
> attempt" and ACID report shows: "[url] WEB-MISC readme.eml 
> autoload attempt". I mean... Shouldn't the be something like 
> [CVE] with the link to the www.cert.org page?
> 
> I'm using ACID v0.9.6 with schema 104.
> Do I need to update my ACID?
> 
> Thank's.
> 
> Bruno Gimenes Pereti.
> 
> 
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe: 
> https://lists.sourceforge.net/lists/listinfo/s> nort-users
> 
> Snort-users list archive: 
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
> 





More information about the Snort-users mailing list