[Snort-users] MS12-063 Rule Triggering
cummingsj at ...11827...
Thu Dec 13 10:07:56 EST 2012
There are any number of reasons for this to not fire.. I assume that
you are talking about sid:24212 ?
1: Is the sensor seeing the traffic (have you done a TCPDUMP etc to
2: is the sensor also the target system or is it on a span (if it is
the target run with k none)
3: in the case that you do have a pcap, have you verified that the
attack traffic matches what the rule is looking for?
4: there are options in the http inspect preproc that may cause this..
ala how deep in the packet you are inspecting etc...
On Wed, Dec 12, 2012 at 3:45 PM, Kochen, Joe <joe.kochen at ...16008...> wrote:
More information about the Snort-users