RE: [Sguil-users] Autocat.conf problems
Status: Beta
Brought to you by:
bamm
Menu
▾
▴
RE: [Sguil-users] Autocat.conf problems
|
From: Paul S. <pa...@ut...> - 2005-03-21 18:12:45
|
--On Monday, March 21, 2005 11:52:45 AM -0600 SRH-Lists <gi...@33...> wrote: > > Can you include some examples of the actual full message strings that > these are failing to match on? > Sure. On my screen right now is this: Dst IP 129.110.16.17 DPort 80 Event Message WEB-MISC weblogic/tomcat .jsp view source attempt Here's the autocat rule: none||ANY||ANY||ANY||129.110.16.17||80||ANY||%%REGEXP%%^WEB-MISC weblogic/tomcat.jsp view source||16 Paul Schmehl (pa...@ut...) Adjunct Information Security Officer The University of Texas at Dallas AVIEN Founding Member http://www.utdallas.edu |