|
|
|
|
Snort Forums Archive
Archive Home » Support » Where can I find information on old SIDs?
Please note that the categories listed below represent an archived version of our forums pages. To view the current version and be able to post and reply to threads, please register and login here to go to the full forums pages.
[ Notice: Full Version of This Topic ]
Where can I find information on old SIDs?
Posted by Willo on March 13, 2005 17:36:46
Hey, we've running snort 2.2.0 at work, and for a few alerts I cannot find any information online on the rules. They are:
SID
7 - (http_inspect) IIS UNICODE CODEFRONT ENCODING
15 - (http_inspect) OVERSIZE REQUEST-URI DIRECTORY
16 - (http_inspect) OVERSIZE CHUNK ENCODING
If had a look in the doc/signatures directory in the source and the lowest number SID is 103. So I'm assuming that these are at a guess legacy signatures. A search on google did not provide any information on where to find out about these signatures.
Can anyone guide me on the right path to find this information?
Cheers. |
|
Posted by novowels on March 13, 2005 18:07:34
These are generated by the http inspect ppreprocessor. Look at the README.http_inspect file in the doc directory distributed with the sources.
Here is a link to it in CVS.
http://cvs.snort.org/viewcvs.cgi/snort/doc/README.http_inspect?rev=1.7.4.4&content-type=text/vnd.viewcvs-markup |
|
Posted by nigel on March 16, 2005 10:06:20
Documentation for http_inspect related events has been available for some time. They are in the doc/signatures directory of your snort source. They are numbered 119-.txt and 120-1.txt |
|
|
|
|
|
