Hi,
if ips finds any unwanted traffic it logs and do the action wich is configured -- right.
But it logs the things in a way i cant see wich ips-rule has catched it.
2004:08:30-15:57:36 snort[15948]: [119:15:1] (http_inspect) OVERSIZE REQUEST-URI DIRECTORY {PROTO006} 192.168.250.24:2895 -> 193.254.186.33:80
2004:08:30-15:24:09 snort[15948]: [119:13:1] (http_inspect) NON-RFC HTTP DELIMITER {PROTO006} 192.168.250.24:2760 -> 65.200.140.21:80
2004:08:30-15:01:11 snort[15948]: [119:7:1] (http_inspect) IIS UNICODE CODEPOINT ENCODING {PROTO006} 192.168.250.24:2573 -> 66.102.11.104:80
How can i say on this alerts wich rule has catched it ?? Is there a system within, maybe in this [119:7:1] ??
thanks
firebear
This thread was automatically locked due to age.
