[Snort-users] Fine-tuning a rule
shane at ...5522...
Fri May 17 12:03:38 EDT 2002
I'm receiving a large amount of false-positives on this rule
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 80 (msg:"WEB-IIS scripts
access"; flags:A+; uricontent:"/scripts/"; nocase;
classtype:web-application-activity; sid:1287; rev:2;)
On all my false positives, the scripts directory is actually beneath
another directory /test/. I was wondering if there's a way to pass
traffic that is accessing /test/scripts/ and still alert me about any
other /scripts/ http traffic?
More information about the Snort-users