Snort mailing list archives

Previous By Date Next
Previous By Thread Next

wrong flow side on very old sid 1045 (always present on SEU 493)

From: rmkml <rmkml () yahoo fr>
Date: Sun, 4 Sep 2011 23:05:08 +0200 (CEST)
Hi,
Maybe Im find a wrong flow side on very old sid 1045:
  web-iis.rules:# alert tcp $HTTP_SERVERS $HTTP_PORTS -> $EXTERNAL_NET any (msg:"WEB-IIS Unauthorized IP Access 
Attempt";
  flow:to_server,established; content:"403"; content:"Forbidden|3A|"; classtype:web-application-attack; sid:1045; 
rev:11;)
but this sig is always exist on last SEU 493.
Sample:
  HTTP/1.1 403 Forbidden
  Content-Length: 1409
  Content-Type: text/html
  Server: Microsoft-IIS/6.0
  ...
  <h2>HTTP Error 403.4 - Forbidden: SSL is required to view this resource.<br>Internet Information Services (IIS)</h2>
  ...
Regards
Rmkml

http://twitter.com/rmkml

------------------------------------------------------------------------------
Special Offer -- Download ArcSight Logger for FREE!
Finally, a world-class log management solution at an even better 
price-free! And you'll get a free "Love Thy Logs" t-shirt when you
download Logger. Secure your free ArcSight Logger TODAY!
http://p.sf.net/sfu/arcsisghtdev2dev
_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-sigs
http://www.snort.org


Please visit http://blog.snort.org for the latest news about Snort!
Previous By Date Next
Previous By Thread Next

Current thread: