[Snort-users] Rules & reference (ACID)

Bruno Gimenes Pereti pereti at ...3411...
Sat Nov 10 05:25:01 EST 2001


Hi Jeff,

Thank's for answer. I think I didn't express well (my english is horrible).
I was trying to say there is no link in that "[url]". When I wrote [CVE] was
just an example that points me to somewhere, it could be [Bugtraq] or so.
I'll update ACID anyway...
If It don't show me the link I write again...

Thank's.

Bruno Gimenes Pereti.

----- Original Message -----
From: "Jeff Dell" <jdell at ...1095...>
To: "'Bruno Gimenes Pereti'" <pereti at ...3411...>; "'Snort-Users'"
<snort-users at lists.sourceforge.net>
Sent: Saturday, November 10, 2001 11:01 AM
Subject: RE: [Snort-users] Rules & reference (ACID)


> Bruno,
>
> There is nothing wrong with seeing "[url]" in acid. Take a look at the
> rule that triggered the alert:
>
> alert tcp $EXTERNAL_NET 80 -> $HOME_NET any (msg:"WEB-MISC readme.eml
> autoload attempt"; flags:A+; content:"window.open(\"readme.eml\"";
> nocase; classtype:attempted-user; sid:1290; rev:3;
> reference:url,www.cert.org/advisories/CA-2001-26.html;)
>
> As you an see that the reference points to a url. It is a big difference
> from CVE. CVE's are maintained by MITRE and are directed to the MITRE
> web page. Url's can point to any webpage.
>
> As far as updating your version of Acid. I would make sure you have the
> latest beta which is 17. There have been some changes lately that make
> Acid more stable and feature rich.
>
> Jeff





More information about the Snort-users mailing list