Snort mailing list archives

RE: Rules & reference (ACID)

From: roman () danyliw com
Date: Sat, 17 Nov 2001 15:32:22 US/Eastern

I believe this issue has been addressed in ACID v0.9.6b18. 

Roman

On Sat, 10 Nov 2001, Marc-Andre Hamelin wrote:


I had the same problem on a few occasions (with the same rule). Most of the
alerts for this rule are ok except some of them has only [] as reference.

It causes an error in mysql when I try to archive these alerts or if these
alerts are part of a bigger selection that I want to archive. So I have to
delete them first.

I'm using ACID beta 17 with snort 1.8.1

I don't know what could cause this problem, but I must admit that I didn't
have the time to  look at it. I don't have the message generated by the
error anymore, at least until I get the problem again :)


Someone has an idea ?


Marc

-----Original Message-----
From: snort-users-admin () lists sourceforge net
[mailto:snort-users-admin () lists sourceforge net]On Behalf Of Bruno
Gimenes Pereti
Sent: 10 novembre, 2001 08:27
To: Snort-Users
Subject: Re: [Snort-users] Rules & reference (ACID)


Hi Jeff,

Thank's for answer. I think I didn't express well (my english is horrible).
I was trying to say there is no link in that "[url]". When I wrote [CVE] was
just an example that points me to somewhere, it could be [Bugtraq] or so.
I'll update ACID anyway...
If It don't show me the link I write again...

Thank's.

Bruno Gimenes Pereti.

----- Original Message -----
From: "Jeff Dell" <jdell () activeworx com>
To: "'Bruno Gimenes Pereti'" <pereti () ump edu br>; "'Snort-Users'"
<snort-users () lists sourceforge net>
Sent: Saturday, November 10, 2001 11:01 AM   
Subject: RE: [Snort-users] Rules & reference (ACID)

Bruno,

There is nothing wrong with seeing "[url]" in acid. Take a look at the
rule that triggered the alert:
alert tcp $EXTERNAL_NET 80 -> $HOME_NET any (msg:"WEB-MISC readme.eml  
autoload attempt"; flags:A+; content:"window.open(\"readme.eml\"";
nocase; classtype:attempted-user; sid:1290; rev:3;
reference:url,www.cert.org/advisories/CA-2001-26.html;)

As you an see that the reference points to a url. It is a big difference
from CVE. CVE's are maintained by MITRE and are directed to the MITRE
web page. Url's can point to any webpage.

As far as updating your version of Acid. I would make sure you have the
latest beta which is 17. There have been some changes lately that make
Acid more stable and feature rich.

Jeff




---------------------------------------------
This message was sent using Voicenet WebMail.
      http://www.voicenet.com/webmail/



_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Current thread:

Rules & reference (ACID) Bruno Gimenes Pereti (Nov 10)
- RE: Rules & reference (ACID) Jeff Dell (Nov 10)
  - Re: Rules & reference (ACID) Bruno Gimenes Pereti (Nov 10)
- <Possible follow-ups>
- RE: Rules & reference (ACID) Marc-Andre Hamelin (Nov 10)
- RE: Rules & reference (ACID) roman (Nov 17)