From: Elena Escolano Torner (eescolanotissat.es)
Date: Mon Jan 05 2004 - 05:08:15 CST

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Good morning everyone,
we are using snort Version 2.0.2 (Build 92).

We have defined this:
        var DMZ_GVA_HTTP_NO_TRANSLATE
        [a.a.a.85,b.b.b.68,c.c.c.3,d.d.d.227]
pass tcp $EXTERNAL_NET any -> $DMZ_GVA_HTTP_NO_TRANSLATE $HTTP_PORTS
(msg:"WEB-IIS view source via translate header"; flow:
to_server,established; content: "Translate|3a| F"; nocase;
reference:bugtraq,1578; reference:arachnids,305;
classtype:web-application-activity; sid:1000017; rev:1;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS
view source via translate header"; flow: to_server,established;
content: "Translate|3a| F"; nocase; reference:bugtraq,1578;
reference:arachnids,305; classtype:web-application-activity; sid:1042;
rev:6;)

We have defined the pass rule to avoid some alarms, but unfortunately,
we are getting this alarms:
9.84 108 WEB-IIS view source via translate header {TCP}
                 28 80.58.44.42 -> b.b.b.68

We have also changed the order in which the rules are processed:
/usr/sbin/snort -D -i eth1 -m 027 -l /var/log/snort -b -u snort -g snort
-o -c /etc/snort/snort.conf

Does anyone know what can it be happened?

Please answer to:
securityinfocentre.gva.es

-------------------------------------------------------
This SF.net email is sponsored by: IBM Linux Tutorials.
Become an expert in LINUX or just sharpen your skills. Sign up for IBM's
Free Linux Tutorials. Learn everything from the bash shell to sys admin.
Click now! http://ads.osdn.com/?ad_id=1278&alloc_id=3371&op=click
_______________________________________________
Snort-users mailing list
Snort-userslists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]