Snort mailing list archives
RE: Rules & reference (ACID)
From: roman () danyliw com
Date: Sat, 17 Nov 2001 15:32:22 US/Eastern
I believe this issue has been addressed in ACID v0.9.6b18. Roman On Sat, 10 Nov 2001, Marc-Andre Hamelin wrote:
I had the same problem on a few occasions (with the same rule). Most of the alerts for this rule are ok except some of them has only [] as reference. It causes an error in mysql when I try to archive these alerts or if these alerts are part of a bigger selection that I want to archive. So I have to delete them first. I'm using ACID beta 17 with snort 1.8.1 I don't know what could cause this problem, but I must admit that I didn't have the time to look at it. I don't have the message generated by the error anymore, at least until I get the problem again :) Someone has an idea ? Marc -----Original Message----- From: snort-users-admin () lists sourceforge net [mailto:snort-users-admin () lists sourceforge net]On Behalf Of Bruno Gimenes Pereti Sent: 10 novembre, 2001 08:27 To: Snort-Users Subject: Re: [Snort-users] Rules & reference (ACID) Hi Jeff, Thank's for answer. I think I didn't express well (my english is horrible). I was trying to say there is no link in that "[url]". When I wrote [CVE] was just an example that points me to somewhere, it could be [Bugtraq] or so. I'll update ACID anyway... If It don't show me the link I write again... Thank's. Bruno Gimenes Pereti. ----- Original Message ----- From: "Jeff Dell" <jdell () activeworx com> To: "'Bruno Gimenes Pereti'" <pereti () ump edu br>; "'Snort-Users'" <snort-users () lists sourceforge net> Sent: Saturday, November 10, 2001 11:01 AM Subject: RE: [Snort-users] Rules & reference (ACID)Bruno, There is nothing wrong with seeing "[url]" in acid. Take a look at the rule that triggered the alert: alert tcp $EXTERNAL_NET 80 -> $HOME_NET any (msg:"WEB-MISC readme.eml autoload attempt"; flags:A+; content:"window.open(\"readme.eml\""; nocase; classtype:attempted-user; sid:1290; rev:3; reference:url,www.cert.org/advisories/CA-2001-26.html;) As you an see that the reference points to a url. It is a big difference from CVE. CVE's are maintained by MITRE and are directed to the MITRE web page. Url's can point to any webpage. As far as updating your version of Acid. I would make sure you have the latest beta which is 17. There have been some changes lately that make Acid more stable and feature rich. Jeff
--------------------------------------------- This message was sent using Voicenet WebMail. http://www.voicenet.com/webmail/ _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Rules & reference (ACID) Bruno Gimenes Pereti (Nov 10)
- RE: Rules & reference (ACID) Jeff Dell (Nov 10)
- Re: Rules & reference (ACID) Bruno Gimenes Pereti (Nov 10)
- <Possible follow-ups>
- RE: Rules & reference (ACID) Marc-Andre Hamelin (Nov 10)
- RE: Rules & reference (ACID) roman (Nov 17)
- RE: Rules & reference (ACID) Jeff Dell (Nov 10)