johnnydepp74
n00b
Joined: 11 Oct 2006
Posts: 8
|
 Posted: Wed Oct 25, 2006 11:57 am Post subject: where are portscan n http_inspect rules description stored? |
 |
|
Hi,
I did a nmap and also use nikto to test snort against my machine and from mysql I can see the following alerts:
mysql> select * from signature;
+--------+-------------------------------------------+--------------+--------------+---------+---------+---------+
| sig_id | sig_name | sig_class_id | sig_priority | sig_rev | sig_sid | sig_gid |
+--------+-------------------------------------------+--------------+--------------+---------+---------+---------+
| 6 | http_inspect: WEBROOT DIRECTORY TRAVERSAL | 0 | 3 | 0 | 18 | NULL |
| 7 | http_inspect: DOUBLE DECODING ATTACK | 0 | 3 | 0 | 2 | NULL |
| 8 | http_inspect: BARE BYTE UNICODE ENCODING | 0 | 3 | 0 | 4 | NULL |
| 9 | portscan: TCP Portscan | 0 | 3 | 0 | 1 | NULL |
| 10 | portscan: Open Port | 0 | 3 | 0 | 27 | NULL |
+--------+-------------------------------------------+--------------+--------------+---------+---------+---------+
based on the signature id (sig_sid) listed in the table above, i could not find the corresponding rules description for any of the particular rules shown above in my /etc/snot/rules folder. I have searched all the .rules files but couldnt find these rules. Any idea where are these rules located ?
Thanks.
Rgds
John |
|
Networking & Security
