Hi All, I am pb with this rules in firestorm : (not modified) $ tail -1 /xxx/conf/snort-rules/web-frontpage.rules alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-FRONTPAGE /_vti_bin/ access";flow:to_server,established; uricontent:"/_vti_bin/"; nocase; classtype:web-application-activity; sid:1288; rev:5;) and my firestorm.conf (order rules) : ... signatures snort /crusoe/confI/snort-rules/web-frontpage.rules signatures snort /crusoe/confI/snort-rules/shellcode.rules signatures snort /crusoe/confI/snort-rules/web-misc.rules signatures snort /crusoe/confI/snort-rules/policy.rules signatures snort /crusoe/confI/snort-rules/ftp.rules signatures snort /crusoe/confI/snort-rules/sql.rules signatures snort /crusoe/confI/snort-rules/smtp.rules signatures snort /crusoe/confI/snort-rules/web-coldfusion.rules signatures snort /crusoe/confI/snort-rules/web-cgi.rules signatures snort /crusoe/confI/snort-rules/exploit.rules signatures snort /crusoe/confI/snort-rules/rservices.rules ... Yes, web-frontpage.rules is before web-cgi.rules. Join tcpdump with two web trafic in uniq tcp session... (HTTP/1.1) and my pb is simple, in join file, I have two web trafic but not web-frontpage ! but firestorm event two web-frontpage ! and snort event two web-cgi adcycle ! ok comment rules web-frontpage and firestorm is good ! (firestorm found two web-cgi adcycle) I compared web-frontpage rules in firestorm and in snort = same rule ! Could you help me please ? Do you have this event (web-frontpage) in your logs ? Regard.
Attachment:
pbsfirestormfrontpage.tcpdump.gz
Description: GNU Zip compressed data