[Oisf-devel] many FP on uricontent example
rmkml
rmkml at free.fr
Tue May 25 10:57:23 UTC 2010
Hi,
Maybe this pb is already known?
With pcap joigned and this (old) sig:
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS ping.asp access"; flow:to_server,established; uricontent:"/ping.asp"; nocase; reference:nessus,10968; classtype:web-application-activity; sid:2667; rev:2;)
I have many (8) alerts:
03/29/09-08:03:06.416199 [**] [1:2667:2] WEB-IIS ping.asp access [**] [Classification: access to a potentially vulnerable web application] [Priority: 3]
{6} 10.50.1.118:2030 -> 194.245.144.33:80 [Xref => http://cgi.nessus.org/plugins/dump.php3?id=10968]
...
If anyone confirm is not known, I fill a new ticket...
Regards
Rmkml
-------------- next part --------------
A non-text attachment was scrubbed...
Name: suricatafnhttpuricontentpingasp25may2010.pcap
Type: application/cap
Size: 3313 bytes
Desc:
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-devel/attachments/20100525/4f29d70e/attachment.bin>
More information about the Oisf-devel
mailing list