[Snort-users] alert refused to pass

Jasmine CHUA Jasmine.Chua at ...11322...
Fri Feb 27 02:19:04 EST 2004


 
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

People .. oops! I spotted my mistake. Accidentally put one of the IP address
into INTRA_NET site. 

Sorry! 

Cheers,
Jas

- -----Original Message-----
From: Jasmine CHUA 
Sent: Friday, February 27, 2004 5:42 PM
To: snort-users at lists.sourceforge.net
Subject: [Snort-users] alert refused to pass



*** PGP Signature Status: bad
*** Signer: Jasmine Chua <jasmine.chua at ...11322...>
*** Signed: 2/27/2004 5:41:48 PM
*** Verified: 2/27/2004 6:00:15 PM
*** BEGIN PGP VERIFIED MESSAGE ***

Hi all

I have a problem here and hope someone can help me see some light. I have a
pass rule that goes:

pass tcp $INTRA_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC /doc/
access"; flow:to_server,established; uricontent:"/doc/"; nocase;
reference:cve,CVE-1999-0678; reference:bugtraq,318;
classtype:web-application-activity;sid:1000026;rev:1;)

However, I am still seeing traffic and the rule does not work.

My snort.conf :

var INTRA_NET [x.x.x.x/x]

var HTTP_SERVERS [y.y.y.y/y]


And, I did include a "-o" when running snort.

What am I missing here.. :(

Jas 

*** END PGP VERIFIED MESSAGE ***



-----BEGIN PGP SIGNATURE-----
Version: PGP 7.0.1

iQA/AwUBQD8W9f4wcdIw6CVjEQIdtwCgmdxJRvEI8DB3ivdgZiNm0K6el3MAnj/S
JTbl1JcqCeO1NXFlEi9QXmIz
=L5LU
-----END PGP SIGNATURE-----




More information about the Snort-users mailing list