Hi,

I'm not actually a snort user, but I'm trying to respond to a log I was
sent:

Date:01/11 18:43:59 Name:WEB-MISC readme.eml attempt
Priority:8 Type:Attempted User Privilege Gain
IP info: xxx.xxx.xxx.xxx:80 -> yyy.yyy.yyy.yyy:62689
References: 1

which apparently came from the rule:

Alert tcp $EXTERNAL_NET 80 -> $HOME_NET any \
    (msg:"WEB-MISC readme.eml attempt"; \
    flags:A+; uricontent:"readme.eml"; nocase; \
    classtype:attempted-user; sid:1284; rev:3; \
    reference:url,www.cert.org/advisories/CA-2001-26.html;)

(xxx... is our web server.)

I'm not very familiar with snort, but from what I've just read in the
documentation the 'uricontent' bit is supposed to match only on
the URI of requests. However, this was a response packet from our
web server. Of course, several of our pages contain the text "readme.eml",
but I don't see how this rule could have triggered unless it was
mistakenly matching as 'content' instead of 'uricontent'. Has 'uricontent'
been known to misbehave in this way?

Any information greatly appreaciated.

Regards,
Dan.

--
Dan Ellis, Software Engineer                              Sophos Anti-Virus
email: dan.ellissophos.com                           http://www.sophos.com
US Support: +1 888 SOPHOS 9                     UK Support: +44 1235 559933
_______________________________________________
Snort-users mailing list
Snort-userslists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]