Snort mailing list archives
garbage in alerts' Classification strings
From: Carl Gibbons <cgibbons () du edu>
Date: Thu, 26 Sep 2002 17:45:53 -0600 (MDT)
Every alert on a rule with a "classtype:web-application-activity" option produces garbage in my alert file. For example: [**] [1:1287:5] WEB-IIS scripts access [**] [Classification: <B0><E6><A0><F6>`<FC><90><BE><80><CE>@<DF><90>^<D0>N0n] [Priori ty: 2] 09/26-16:11:36.380159 aaa.bbb.ccc.ddd:1797 -> eee.fff.ggg.hhh:80 TCP TTL:125 TOS:0x0 ID:38950 IpLen:20 DgmLen:331 DF ***AP*** Seq: 0x30578DB Ack: 0xC7CEA4A7 Win: 0x2058 TcpLen: 20 Here's the example rule (it's in web-iis.rules, in the 1.8.7 distribution tarball): alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS scripts access"; flags:A+; uricontent:"/scripts/"; nocase; classtype:web-application-activity; sid:1287; rev:5;) and here's the corresponding classification.config line: config classification: web-application-activity,access to a potentially vulnerable web application,2 So, I think I should expect to see in the alert, "[Classification: access to a potentially vulnerable web application]" instead of "[Classification: <B0><E6><A0><F6>`<FC><90><BE><80><CE>@<DF><90>^<D0>N0n]". But I see this garbage on every web-application-activity alert, not just on this one. I tried changing classification.config to something such as config classification: web-application-activity,Foo Bar,2 But that only shortens the garbage: [Classification: <88>w^] [Priority: 2] How to fix? FWIW, I'm using FreeBSD 4.6.2. - Carl ------------------------------------------------------- This sf.net email is sponsored by:ThinkGeek Welcome to geek heaven. http://thinkgeek.com/sf _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- garbage in alerts' Classification strings Carl Gibbons (Sep 26)