[Snort-users] interesting problem...

waldo kitty wkitty42 at ...14940...
Fri Sep 24 14:22:20 EDT 2010


i've been working on adjusting my environment to use the VRT published 
snort.conf for 2.8.6.1... i'm in the process of live testing and trying to 
figure out why some things are being alerted on... one of those is


3:13974:2 WEB-CLIENT Internet Explorer XHTML element memory corruption attempt


several things:
1. at least i know that my SO rules are working because this is a GID:3 rule :)

2. this rule is being triggered at the following URL

     http://forums.snort.org/posts?amp%3Bq=&page=7

3. we do not use IE for browsing


so why is this rule being triggered on the snort.org forums?? when i whitelist 
that IP, i can get there and read the messages quite easily... is something 
broken on the forum or is there possibly some advertising stuff there that's 
coming in that i'm not seeing because of my ad and script blocking??






More information about the Snort-users mailing list