[Snort-users] garbage in alerts' Classification strings

Carl Gibbons cgibbons at ...6953...
Thu Sep 26 16:48:03 EDT 2002


  Every alert on a rule with a "classtype:web-application-activity"
  option produces garbage in my alert file.  For example:

[**] [1:1287:5] WEB-IIS scripts access [**]
[Classification: <B0><E6><A0><F6>`<FC><90><BE><80><CE>@<DF><90>^<D0>N0n] [Priori
ty: 2]
09/26-16:11:36.380159 aaa.bbb.ccc.ddd:1797 -> eee.fff.ggg.hhh:80
TCP TTL:125 TOS:0x0 ID:38950 IpLen:20 DgmLen:331 DF
***AP*** Seq: 0x30578DB  Ack: 0xC7CEA4A7  Win: 0x2058  TcpLen: 20

  Here's the example rule (it's in web-iis.rules, in the 1.8.7
  distribution tarball):

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS scripts access"; flags:A+; uricontent:"/scripts/"; nocase; classtype:web-application-activity; sid:1287;  rev:5;)

  and here's the corresponding classification.config line:

config classification: web-application-activity,access to a potentially vulnerable web application,2

  So, I think I should expect to see in the alert, "[Classification:
  access to a potentially vulnerable web application]" instead of
  "[Classification: <B0><E6><A0><F6>`<FC><90><BE><80><CE>@<DF><90>^<D0>N0n]".
  But I see this garbage on every web-application-activity alert,
  not just on this one.  I tried changing classification.config to
  something such as

config classification: web-application-activity,Foo Bar,2

  But that only shortens the garbage:

[Classification: <88>w^] [Priority: 2]

  How to fix?  FWIW, I'm using FreeBSD 4.6.2.  - Carl





More information about the Snort-users mailing list