Snort mailing list archives
Re: Problems finding gen_id sig_id
From: sekure <sekure () gmail com>
Date: Wed, 8 Dec 2004 11:06:25 -0500
Yep, openaanval currently makes no differentiation betweend gen_id's, i filed a bug in their support forum. In the meantime, http_inspect gen_id is 119, the sig_id for IIS Unicode is 6 Double Decoding is 1 Apache Whitespace is 11 (from preprocessors/HttpInspect/include/hi_eo_events.h) On Wed, 8 Dec 2004 16:42:09 +0100, Patrick Marquetecken <patrick.marquetecken () pandora be> wrote:
Hi,
I cant seem to find the gen_id, sig_id for:
http_inspect: IIS UNICODE CODEPOINT
http_inspect: DOUBLE DECODING ATTACK
http_inspect: APACHE WHITESPACE (TAB)
I get a lot of warning/attacs from computers of our external office that are accessing our proxy server. the only way
that i can filter them is with the treshold.conf.
I'm using openaanval to monitor, but if i ask details on these "attacs" the snort website always say's: "Sorry, no
such sid-gen"
So who know the wright gen_id and sig_id, i'm using snort 2.2 so is there a problem with openaanval ?
Patrick
-------------------------------------------------------
SF email is sponsored by - The IT Product Guide
Read honest & candid reviews on hundreds of IT Products from real users.
Discover which products truly live up to the hype. Start reading now.
http://productguide.itmanagersjournal.com/
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
------------------------------------------------------- SF email is sponsored by - The IT Product Guide Read honest & candid reviews on hundreds of IT Products from real users. Discover which products truly live up to the hype. Start reading now. http://productguide.itmanagersjournal.com/ _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Problems finding gen_id sig_id Patrick Marquetecken (Dec 08)
- Re: Problems finding gen_id sig_id sekure (Dec 08)
- Re: Problems finding gen_id sig_id Patrick Marquetecken (Dec 09)
- Re: Problems finding gen_id sig_id sekure (Dec 08)