[Snort-users] Fine-tuning a rule

Shane Hickey shane at ...5522...
Fri May 17 12:03:38 EDT 2002


Hello,
	I'm receiving a large amount of false-positives on this rule

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 80 (msg:"WEB-IIS scripts
access"; flags:A+; uricontent:"/scripts/"; nocase;
classtype:web-application-activity; sid:1287; rev:2;)

	On all my false positives, the scripts directory is actually beneath
another directory /test/.  I was wondering if there's a way to pass
traffic that is accessing /test/scripts/ and still alert me about any
other /scripts/ http traffic?

Thanks,

Shane





More information about the Snort-users mailing list