[Snort-users] msg update for these, please?

waldo kitty wkitty42 at ...14940...
Tue Sep 28 16:02:28 EDT 2010


On 9/28/2010 15:45, Jefferson, Shawn wrote:
> Maybe something along the lines of:
>
> WEB-CLIENT Request for exe file
>
> and
>
> WEB-CLIENT Portable Executable binary file transfer
>
> which would explain what’s happening a little better, and avoid potential
> confusion hopefully.

yep, this is pretty close to what i came up with in my recent post on this 
thread now that it has been pointed out that 16425 is a GET request and not a 
POST or just a general either/or rule...

i have to wait to see if i get an answer to what 16425 would look like if it 
were a POST rule, though... it may be possible, without having actually tested 
it (yet) that it will fire on things it is not intended to fire on... it is 
extremely generic with only the one content:".exe"; in it...





More information about the Snort-users mailing list