|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
Subject: Re: [snort] Rapidnet sig error?
From: Jim Forster (jforster
rapidnet.com)Date: Tue Mar 07 2000 - 13:38:34 CST
- Next message: Jerry Shenk: "RE: [snort] 1.6-beta11 available [CVS & WWW]"
- Previous message: Martin Roesch: "Re: [snort] 1.6-beta11 available [CVS & WWW]"
- In reply to: Martin Roesch: "Re: [snort] Rapidnet sig error?"
- Next in thread: Stuart Staniford-Chen: "Re: [snort] Rapidnet sig error?"
- Next in thread: Mullen, Patrick: "RE: [snort] Back home...."
- Reply: Jim Forster: "Re: [snort] Rapidnet sig error?"
- Reply: Stuart Staniford-Chen: "Re: [snort] Rapidnet sig error?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Yep - I wrote him direct rather than fill the list with 'yep - that's wrong'
messages. heh
Oh well, I've done it now anyway. :P
Anytime these are found please let me know....
I've had a few NIGHTMARES with a search and replace that really messed up
the list, and I didn't notice it for a few days.... ack.
On a side note that I saw in the list a while back on the whole NT-Babble
problems with NetBios traffic.....
In researching this one and talking to Microsoft, we found that if IIS can't
get a reverse lookup, it tries to pull the remote Windows system name.
(Webtrends cookies on the site are really causing headaches with this rule).
I've finally blocked the traffic from getting out on the routers, but it's
still trying. It seems there are a few ISPs in our area that don't do
reverse lookups for any of their dialups - really makes for a mess in the
logs.... So one more disabled. :P
Thanks....
----- Original Message -----
From: Martin Roesch <roeschhiverworld.com>
To: <snortbofh.kyrnet.kg>; Jim Forster <jforsterrapidnet.com>
Sent: Tuesday, March 07, 2000 11:44 AM
Subject: Re: [snort] Rapidnet sig error?
> Jim, you hear that?? :)
>
> Stuart Staniford-Chen wrote:
> >
> > The following sig is in the Rapidnet set:
> >
> > alert tcp !$HOME_NET any -> $HOME_NET 80 (msg:"IIS-showcode";flags:PA;
> > content:"msads/Samples/selector/showcode.asp";)
> >
> > Shouldn't that be "msadc" rather than "msads"?
> >
> > Thanks,
> >
> > Stuart.
> >
> > --
> > Stuart Staniford-Chen --- President --- Silicon Defense
> > stuartsilicondefense.com
> > (707) 822-4588 (707) 826-7571 (FAX)
>
> --
> Martin Roesch <roeschhiverworld.com>
> Director of Forensic Systems http://www.hiverworld.com
> Hiverworld, Inc. Enterprise Network Security
> Network Forensics, Intrusion Detection and Risk Assessment
- Next message: Jerry Shenk: "RE: [snort] 1.6-beta11 available [CVS & WWW]"
- Previous message: Martin Roesch: "Re: [snort] 1.6-beta11 available [CVS & WWW]"
- In reply to: Martin Roesch: "Re: [snort] Rapidnet sig error?"
- Next in thread: Stuart Staniford-Chen: "Re: [snort] Rapidnet sig error?"
- Next in thread: Mullen, Patrick: "RE: [snort] Back home...."
- Reply: Jim Forster: "Re: [snort] Rapidnet sig error?"
- Reply: Stuart Staniford-Chen: "Re: [snort] Rapidnet sig error?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]