Snort mailing list archives
Spurious Alerts?
From: David Bianco <bianco () jlab org>
Date: Tue, 30 Apr 2002 15:38:52 -0400
Finney Charles E writes:
Running Snort 1.8.6 on FreeBSD 4.5, Alerts on: alert tcp $EXTERNAL_NET any -> any 80 (msg:"WEB-ATTACKS /bin/ls command attempt"; flags:A+; uricontent:"/bin/ls"; nocase; sid:1369; rev:1; classtype:web-application-attack;) The packet data as displayed in ACID is: 4B 4F 52 6A 4B 30 39 4B 0D 0A 0D KORjK09K... Any clues as to why SNORT would alert on the aforementioned?
Unfortunately, since you didn't really include enough information for me to help, I can only guess. I'd need to see the full dump of the packet, but I suppose there's a part in the data that looks like "/bin/ls", at least after passing it through the HTTP decoding preprocessor. You'd need to look at the rest of the packet for a better answer. David -- David J. Bianco, GSEC <bianco () jlab org> Thomas Jefferson National Accelerator Facility The views expressed herein are soley those of the author and not those of SURA/Jefferson Lab or the US DOE. _______________________________________________________________ Have big pipes? SourceForge.net is looking for download mirrors. We supply the hardware. You get the recognition. Email Us: bandwidth@sourceforge.net_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Spurious Alerts? Finney Charles E (Apr 30)
- Spurious Alerts? David Bianco (Apr 30)
- <Possible follow-ups>
- RE: Spurious Alerts? Finney Charles E (Apr 30)