[Snort-users] Signature has generate alert without match with the packet

Joel Esler joel.esler at ...1935...
Fri Aug 26 05:43:43 EDT 2005


Are you using Barnyard?

Joel Esler
Sourcefire


On Aug 26, 2005, at 8:34 AM, Diego Cavalcante Fernandes wrote:

> Hi,
> I have some signatures as example:
> alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB- 
> FRONTPAGE _vti_inf.html access"; flow:to_server,established;  
> uricontent:"/_vti_inf.html"; nocase; reference:nessus,11455;  
> classtype:web-application-activity; sid:990; rev:9;)
>
> This signature generated some alerts.But the packets that had  
> generated the alert don't have payload, they only have a ip and tcp  
> header. How can this packet  generate alert without having the  
> uricontent "/_vi_inf.html" specified in the signature ?
>
> Obs: I'm using the database output plugin, like this:output  
> database: alert, mysql, user=root dbname=snort host=cirene,detail=full
>
> this output log all the packet, including payload
>
>
>
>
>
> Yahoo! Acesso Grátis: Internet rápida e grátis. Instale o discador  
> agora!

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20050826/6774535e/attachment.html>


More information about the Snort-users mailing list