[Snort-users] Fine-tuning a rule

Michael Scheidell scheidell at ...5171...
Fri May 17 15:48:02 EDT 2002


----- Original Message -----
From: "Shane Hickey" <shane at ...5522...>
Newsgroups: local.snort.users
Sent: Friday, May 17, 2002 3:34 PM
Subject: [Snort-users] Fine-tuning a rule


> Hello,
> I'm receiving a large amount of false-positives on this rule
>
> alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 80 (msg:"WEB-IIS scripts
> access"; flags:A+; uricontent:"/scripts/"; nocase;
> classtype:web-application-activity; sid:1287; rev:2;)
>
> On all my false positives, the scripts directory is actually beneath
> another directory /test/.  I was wondering if there's a way to pass
> traffic that is accessing /test/scripts/ and still alert me about any
> other /scripts/ http traffic?

add this rule ABOVE the previous one ?
pass tcp $EXTERNAL_NET any -> $HTTP_SERVERS 80 flags:A+;
uricontent:"/test/scripts/"; nocase;)
--
Michael Scheidell
SECNAP Network Security, LLC
(561) 368-9561 scheidell at ...5171...
http://www.secnap.net
>
> Thanks,
>
> Shane
>
>
> _______________________________________________________________
>
> Hundreds of nodes, one monster rendering program.
> Now that's a super model! Visit http://clustering.foundries.sf.net/
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>
> ---





More information about the Snort-users mailing list