Re: MS12-063 Rule Triggering

[JJC <cummingsj () gmail com>]

Joe,

There are any number of reasons for this to not fire.. I assume that
you are talking about sid:24212 ?

1: Is the sensor seeing the traffic (have you done a TCPDUMP etc to
validate this
2: is the sensor also the target system or is it on a span (if it is
the target run with k none)
3: in the case that you do have a pcap, have you verified that the
attack traffic matches what the rule is looking for?
4: there are options in the http inspect preproc that may cause this..
ala how deep in the packet you are inspecting etc...

JJC

On Wed, Dec 12, 2012 at 3:45 PM, Kochen, Joe <joe.kochen () americo com> wrote:
> MS12-063

------------------------------------------------------------------------------
LogMeIn Rescue: Anywhere, Anytime Remote support for IT. Free Trial
Remotely access PCs and mobile devices and provide instant support
Improve your efficiency, and focus on delivering more value-add services
Discover what IT Professionals Know. Rescue delivers
http://p.sf.net/sfu/logmein_12329d2d
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!