[Snort-users] Snort weird behaviour

Balasubramaniam Natarajan bala150985 at ...11827...
Sun Aug 26 02:37:23 EDT 2012


On Sun, Aug 26, 2012 at 1:55 AM, waldo kitty <wkitty42 at ...14940...>wrote:

>
> what rule?
>
>
Rule is something like this.

alert tcp  $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"Looking for
POST"; flow:established,to_server; content:"POST"; http_method;
content:"xxxxyyyyzzzzz"; sid: xxxxxxxx; rev:1)


> do you have a pcap?
>
>
I don't have a PCAP, however when I see the payload section of this alert
in Base, I can clearly see that it is

GET xxxxyyyyzzzzz
host: aaaabbbbcccc.com


>
> ------------------------------------------------------------------------------
> Live Security Virtual Conference
> Exclusive live event will cover all the ways today's security and
> threat landscape has changed and how IT managers can respond. Discussions
> will include endpoint security, mobile security and the latest in malware
> threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>
> Please visit http://blog.snort.org to stay current on all the latest
> Snort news!
>



-- 
Regards,
Balasubramaniam Natarajan
www.etutorshop.com/moodle/
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20120826/5fc0c513/attachment.html>


More information about the Snort-users mailing list