WEB-MISC ?open access

[Elena Escolano Torner <eescolano () tissat es>]

Good morning everyone,
we are using snort Version 2.0.2 (Build 92).

We have defined this:
var HTTP_PORTS 80
var HTTP_OPEN [a.a.a.50,x.x.x.134,b.b.b.29]
pass tcp $EXTERNAL_NET any -> $HTTP_OPEN $HTTP_PORTS (msg:"Copy of
WEB-MISC ?open access"; flow: to_server,established; uricontent:
"?open"; nocase; classtype:web-application-activity; priority:2;
sid:1000020; rev:4;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC
?open access"; flow: to_server,established; uricontent: "?open"; nocase;
classtype:web-application-activity; sid:1561; rev:4;)

We have defined the pass rule to avoid some alarms,  but unfortunately,
we are getting this alarms:
WEB-MISC ?open access   {TCP}
                 58    y.y.y.170    -> x.x.x.134
                 45    z.z.z.42     -> x.x.x.134
                 29    p.p.p.194   -> x.x.x.134

We have also changed the order in which the rules are processed:
/usr/sbin/snort -D -i eth1 -m 027 -l /var/log/snort -b -u snort -g snort
-o -c /etc/snort/snort.conf

Does anyone know what can it be happened?

Please answer to:
security () infocentre gva es

Attachment: eescolano.vcf
Description: Card for Elena Escolano Torner