Snort mailing list archives
Re: web-misc robots.txt will not go away
From: Matt Kettler <mkettler () evi-inc com>
Date: Thu, 14 Nov 2002 18:47:29 -0500
The reason it hasn't stopped is because robots rule is in experimental.rules not web-misc.rules.
Try a grep for "robot" on your rules files: $ grep robot *experimental.rules:# NOTES: this signature looks for someone accessing the file "robots.txt" via experimental.rules:# engines) more efficent. robots.txt is often used to inform a web spider experimental.rules:# Verify that the robots.txt does not include any sensitive information. experimental.rules:alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WE B-MISC robots.txt access"; flow:to_server,established; uricontent:"/robots.txt"; noc ase; reference:nessus,10302; classtype:web-application-activity; sid:1852; rev:1;) experimental.rules:alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WE B-MISC robot.txt access"; flow:to_server,established; uricontent:"/robot.txt"; nocas e; reference:nessus,10302; classtype:web-application-activity; sid:1857; rev:1;)
sid-msg.map:1852 || WEB-MISC robots.txt access || nessus,10302 sid-msg.map:1857 || WEB-MISC robot.txt access || nessus,10302 At 04:44 PM 11/14/2002 -0400, Charles McGraw wrote:
Running my Snort in IDS mode I've deleted the web-misc.rules file and commented out the snort.conf file. however it still picks up and logs all the webmisc robots.txt access.Please someone how do I stop this menace... Info: Running snort 1.9.0 on a win32 box using the following cmd line snort -de -l \log -h (Home_Net) -c snort.conf. basically taken directly from the user guide pdf... _________________________________________________________________MSN 8 with e-mail virus protection service: 2 months FREE* http://join.msn.com/?page=features/virus-------------------------------------------------------This sf.net email is sponsored by: To learn the basics of securing your web site with SSL, click here to get a FREE TRIAL of a Thawte Server Certificate: http://www.gothawte.com/rd524.html_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
-------------------------------------------------------This sf.net email is sponsored by: To learn the basics of securing your web site with SSL, click here to get a FREE TRIAL of a Thawte Server Certificate: http://www.gothawte.com/rd524.html
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- web-misc robots.txt will not go away Charles McGraw (Nov 14)
- Re: web-misc robots.txt will not go away Alberto Gonzalez (Nov 14)
- Re: web-misc robots.txt will not go away Jens Krabbenhoeft (Nov 14)
- Re: web-misc robots.txt will not go away Matt Kettler (Nov 14)