[Oisf-devel] many FP on uricontent example

Will Metcalf william.metcalf at gmail.com
Tue May 25 10:07:27 EDT 2010


Okay.  Please open a ticket. and Thanks!

On Tue, May 25, 2010 at 6:20 AM, rmkml <rmkml at free.fr> wrote:
> Thx for reply Will,
> with git today (2910759943484cd7e3401bebcc286f06b17b6045), I have same pb on
> my pcap example.
> Regards
> Rmkml
>
>
> On Tue, 25 May 2010, Will Metcalf wrote:
>
>> Have you tried the new master Victor just pushed?  This bug should be
>> fixed.
>> Regards,
>> Will
>>
>> On Tue, May 25, 2010 at 5:57 AM, rmkml <rmkml at free.fr> wrote:
>>>
>>> Hi,
>>> Maybe this pb is already known?
>>> With pcap joigned and this (old) sig:
>>>  alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS
>>> ping.asp access"; flow:to_server,established; uricontent:"/ping.asp";
>>> nocase; reference:nessus,10968; classtype:web-application-activity;
>>> sid:2667; rev:2;)
>>> I have many (8) alerts:
>>>  03/29/09-08:03:06.416199  [**] [1:2667:2] WEB-IIS ping.asp access [**]
>>> [Classification: access to a potentially vulnerable web application]
>>> [Priority: 3] {6} 10.50.1.118:2030 -> 194.245.144.33:80 [Xref =>
>>> http://cgi.nessus.org/plugins/dump.php3?id=10968]
>>>  ...
>>> If anyone confirm is not known, I fill a new ticket...
>>> Regards
>>> Rmkml
>
> _______________________________________________
> Oisf-devel mailing list
> Oisf-devel at openinfosecfoundation.org
> http://lists.openinfosecfoundation.org/mailman/listinfo/oisf-devel
>
>


More information about the Oisf-devel mailing list