[Snort-users] Rules & reference (ACID)

Marc-Andre Hamelin mhamelin at ...1801...
Sat Nov 10 15:19:02 EST 2001


I had the same problem on a few occasions (with the same rule). Most of the
alerts for this rule are ok except some of them has only [] as reference.

It causes an error in mysql when I try to archive these alerts or if these
alerts are part of a bigger selection that I want to archive. So I have to
delete them first.

I'm using ACID beta 17 with snort 1.8.1

I don't know what could cause this problem, but I must admit that I didn't
have the time to  look at it. I don't have the message generated by the
error anymore, at least until I get the problem again :)


Someone has an idea ?


Marc

-----Original Message-----
From: snort-users-admin at lists.sourceforge.net
[mailto:snort-users-admin at lists.sourceforge.net]On Behalf Of Bruno
Gimenes Pereti
Sent: 10 novembre, 2001 08:27
To: Snort-Users
Subject: Re: [Snort-users] Rules & reference (ACID)


Hi Jeff,

Thank's for answer. I think I didn't express well (my english is horrible).
I was trying to say there is no link in that "[url]". When I wrote [CVE] was
just an example that points me to somewhere, it could be [Bugtraq] or so.
I'll update ACID anyway...
If It don't show me the link I write again...

Thank's.

Bruno Gimenes Pereti.

----- Original Message -----
From: "Jeff Dell" <jdell at ...1095...>
To: "'Bruno Gimenes Pereti'" <pereti at ...3411...>; "'Snort-Users'"
<snort-users at lists.sourceforge.net>
Sent: Saturday, November 10, 2001 11:01 AM
Subject: RE: [Snort-users] Rules & reference (ACID)


> Bruno,
>
> There is nothing wrong with seeing "[url]" in acid. Take a look at the
> rule that triggered the alert:
>
> alert tcp $EXTERNAL_NET 80 -> $HOME_NET any (msg:"WEB-MISC readme.eml
> autoload attempt"; flags:A+; content:"window.open(\"readme.eml\"";
> nocase; classtype:attempted-user; sid:1290; rev:3;
> reference:url,www.cert.org/advisories/CA-2001-26.html;)
>
> As you an see that the reference points to a url. It is a big difference
> from CVE. CVE's are maintained by MITRE and are directed to the MITRE
> web page. Url's can point to any webpage.
>
> As far as updating your version of Acid. I would make sure you have the
> latest beta which is 17. There have been some changes lately that make
> Acid more stable and feature rich.
>
> Jeff


_______________________________________________
Snort-users mailing list
Snort-users at lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users




More information about the Snort-users mailing list