Snort mailing list archives
Where do these rules come from?
From: Steve Halligan <agent33 () geeksquad com>
Date: Thu, 16 Aug 2001 15:09:37 -0500
This is just an example from web-cgi rules. There are several more like this. Is the something that has a /calendar that is a problem? If so, why isn't it named in the rule. I don't have a problem commenting it out, because I know that I have nothing with a /calendar url, but I just got to wondering why rules like this are there in the first place. It can make it difficult to decide whether to remove a rule, with no reference as to what the exploit/scan is that the rule is designed for. alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 80 (msg:"WEB-CGI calendar access";flags: A+; uricontent:"/calendar"; nocase; classtype:attempted-recon; sid:882; rev:1;) -Steve _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: http://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Where do these rules come from? Steve Halligan (Aug 16)
- Re: Where do these rules come from? Wesley Eddy (Aug 16)
- <Possible follow-ups>
- RE: Where do these rules come from? Steve Halligan (Aug 16)
- RE: Where do these rules come from? Steve Halligan (Aug 16)