[Snort-users] Questions (and bug report?) about tagging
elof at ...6680...
Fri Aug 23 05:04:06 EDT 2002
I'm playing around with the tag option and don't get the expected result.
Machine A (flash - 10.0.0.53) is running FreeBSD 4.6 and snort 1.8.7.
I have setup inetd to listen on port 80 with this script:
echo 'My server on port 80'
echo 'Here is a long listing of files'
ls -l /usr/lib
echo 'Now that should have triggered a couple of packets'
I use this rule:
alert tcp any any -> any 80 (msg:"php.cgi access";flags:A+; uricontent:"/php.cgi"; nocase;
classtype:attempted-recon; sid:824; rev:6; tag:host,30,seconds,dst;)
More information about the Snort-users