[Oisf-devel] many FP on uricontent example

rmkml rmkml at free.fr
Tue May 25 10:57:23 UTC 2010

Maybe this pb is already known?
With pcap joigned and this (old) sig:
  alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS ping.asp access"; flow:to_server,established; uricontent:"/ping.asp"; nocase; reference:nessus,10968; classtype:web-application-activity; sid:2667; rev:2;)
I have many (8) alerts:
  03/29/09-08:03:06.416199  [**] [1:2667:2] WEB-IIS ping.asp access [**] [Classification: access to a potentially vulnerable web application] [Priority: 3] 
{6} -> [Xref => http://cgi.nessus.org/plugins/dump.php3?id=10968]
If anyone confirm is not known, I fill a new ticket...
-------------- next part --------------
A non-text attachment was scrubbed...
Name: suricatafnhttpuricontentpingasp25may2010.pcap
Type: application/cap
Size: 3313 bytes
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-devel/attachments/20100525/4f29d70e/attachment.bin>

More information about the Oisf-devel mailing list