[Snort-users] WebDAV

Erek Adams erek at ...577...
Wed Nov 6 14:34:07 EST 2002

On Wed, 6 Nov 2002, Yaakov Yehudi wrote:

> Can anyone tell me if the WebDAV file lock alert can be triggered by
> anything other than an intentional attempt to lock a file for editing etc.
> Some ISPs have offered a range of  reasons for this alert - including:
> "worms";
> "our client has no idea what you are talking about";
> and ... "Apparently, normal traffic is causing your alarm to sound. If you
> click on the animated banner to the right of the "NFC News First Class"
> logo, on this site: http://www.nfc.co.il/04-11-2002.html?04-21-11.  It
> evidently triggers your alarm. We investigated this from our customer
> behavior, and no wrong doing has occurred."
> I'll be grateful to hear your replies. I'm quite puzzled.

Well....  For one, I'm not 100% sure what rule you are talking about.
I'm going to guess you are refering to one of the follwing SID's:


Depending on which one, other content could be triggering it.  Check the
packet dump vs. the rule and see what made it fire.

You might be better off posting this to the snort-sigs list as that's
where the 'sig geeks' tend to hang out.  ;-)


Erek Adams

More information about the Snort-users mailing list