[Snort-users] Signature has generate alert without match with the packet
joel.esler at ...1935...
Fri Aug 26 05:43:43 EDT 2005
Are you using Barnyard?
On Aug 26, 2005, at 8:34 AM, Diego Cavalcante Fernandes wrote:
> I have some signatures as example:
> alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-
> FRONTPAGE _vti_inf.html access"; flow:to_server,established;
> uricontent:"/_vti_inf.html"; nocase; reference:nessus,11455;
> classtype:web-application-activity; sid:990; rev:9;)
> This signature generated some alerts.But the packets that had
> generated the alert don't have payload, they only have a ip and tcp
> header. How can this packet generate alert without having the
> uricontent "/_vi_inf.html" specified in the signature ?
> Obs: I'm using the database output plugin, like this:output
> database: alert, mysql, user=root dbname=snort host=cirene,detail=full
> this output log all the packet, including payload
> Yahoo! Acesso Grátis: Internet rápida e grátis. Instale o discador
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Snort-users