[Snort-users] WEB-MISC ?open access

Elena Escolano Torner eescolano at ...10780...
Wed Dec 17 07:38:03 EST 2003


Good morning everyone,
we are using snort Version 2.0.2 (Build 92).

We have defined this:
var HTTP_PORTS 80
var HTTP_OPEN [a.a.a.50,x.x.x.134,b.b.b.29]
pass tcp $EXTERNAL_NET any -> $HTTP_OPEN $HTTP_PORTS (msg:"Copy of
WEB-MISC ?open access"; flow: to_server,established; uricontent:
"?open"; nocase; classtype:web-application-activity; priority:2;
sid:1000020; rev:4;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC
?open access"; flow: to_server,established; uricontent: "?open"; nocase;
classtype:web-application-activity; sid:1561; rev:4;)

We have defined the pass rule to avoid some alarms,  but unfortunately,
we are getting this alarms:
WEB-MISC ?open access   {TCP}
                 58    y.y.y.170    -> x.x.x.134
                 45    z.z.z.42     -> x.x.x.134
                 29    p.p.p.194   -> x.x.x.134

We have also changed the order in which the rules are processed:
/usr/sbin/snort -D -i eth1 -m 027 -l /var/log/snort -b -u snort -g snort
-o -c /etc/snort/snort.conf

Does anyone know what can it be happened?

Please answer to:
security at ...10375...
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20031217/bcf005da/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: eescolano.vcf
Type: text/x-vcard
Size: 450 bytes
Desc: Card for Elena Escolano Torner
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20031217/bcf005da/attachment.vcf>


More information about the Snort-users mailing list