[Snort-users] pass rule or normal rule with "!"
laurent_news at ...131...
Fri Feb 8 06:40:06 EST 2002
We have a web application running on a IIS server and
all the "normal" requests will have a common begining
for the URL.
I would like Snort to generate an alert (and log the
URL) when requests not having the expected pattern are
sent to the Web server.
I think we have two choices :
1) writing a pass rule with "uricontent" set to the
normal expected pattern.
2) writing an alerting rule with "!" before the
Are the two solutions completely identical (for
performance for example) or is there a preferred
Do You Yahoo!? -- Une adresse @yahoo.fr gratuite et en français !
Yahoo! Mail : http://fr.mail.yahoo.fr
More information about the Snort-users