Actions
Bug #166
closedmany FP on uricontent example
Affected Versions:
Effort:
Difficulty:
Label:
Description
Hi,
With pcap joigned and this (old) sig:
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS ping.asp access"; flow:to_server,established; uricontent:"/ping.asp"; nocase; reference:nessus,10968; classtype:web-application-activity; sid:2667; rev:2;)
I have many 8 alerts:
03/29/09-08:03:06.416199 [**] [1:2667:2] WEB-IIS ping.asp access [**] [Classification: access to a potentially vulnerable web application] [Priority: 3] {6} 10.50.1.118:2030 -> 194.245.144.33:80 [Xref => http://cgi.nessus.org/plugins/dump.php3?id=10968]
...
Tested on suricata v0.9.0 and git (2910759943484cd7e3401bebcc286f06b17b6045).
Regards
Rmkml
Files
Actions