This repository has been archived by the owner on Aug 6, 2024. It is now read-only.
Mistake in snort rule files (matching "T " instead of "GET ") #37
Comments
Sign up for free
to subscribe to this conversation on GitHub.
Already have an account?
Sign in.
All snort rules I've taken a look so far use a wrong first match for
content:"T "; offset:2; depth:3;that is separately matched to the actual "GET /..." URLs.A simple "GET /swip/Events" would suffice (as even the HTTP/1 suffix is unnecessary, actually). Depending on the final rule parser and software, some IDS might cause false positive alerts because of this.
The text was updated successfully, but these errors were encountered: