Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Proposed change to sid:24348 - I don't think it encompasses all the allowed X-Forwarded-For rules

From: waldo kitty <wkitty42 () windstream net>
Date: Fri, 09 Jan 2015 21:16:33 -0500
On 1/8/2015 3:27 PM, Scott Savarese wrote:



On Jan 8, 2015, at 2:32 PM, waldo kitty <wkitty42 () windstream net> wrote:

sounds like you have thousands of playas trying to cause problems with your
system(s)...


I've looked at most of the IP addresses... They are valid IP addresses of our
customers. Plus looking at the data within the packets themselves, the rule
is tripping on valid data. Things like IPv6 addresses. Shouldn't the valid
data be included in the PCRE regex?


yes, it might need some additional valid data like an IPv6 pcre... apparently it 
was written for IPv4 only... then again, it might be best to just disable it in 
your environment ;)

-- 
  NOTE: No off-list assistance is given without prior approval.
        Please *keep mailing list traffic on the list* unless
        private contact is specifically requested and granted.

------------------------------------------------------------------------------
Dive into the World of Parallel Programming! The Go Parallel Website,
sponsored by Intel and developed in partnership with Slashdot Media, is your
hub for all things parallel software development, from weekly thought
leadership blogs to news, videos, case studies, tutorials and more. Take a
look and join the conversation now. http://goparallel.sourceforge.net
_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-sigs
http://www.snort.org


Please visit http://blog.snort.org for the latest news about Snort!
Previous By Date Next
Previous By Thread Next

Current thread: