[prev in list] [next in list] [prev in thread] [next in thread]
List: snort-sigs
Subject: Re: [Snort-sigs] False Positive
From: nnposter () users ! sourceforge ! net
Date: 2005-01-18 21:37:13
Message-ID: 972.1.4 () () users ! sourceforge ! net
[Download RAW message or body]
fmonkey@fmonkey.net wrote:
> Rule: WEB-IIS %2E-asp access
> --
> Sid: 972
> --
> Summary: Google toolbar encodes period when checking on updates to web
> pages.
> --
> Impact: N/A
>
> --
> Detailed Information: It appears the Google toolbar checks for the
> "freshness" of a page, and encodes the URL of the page as part of the
> request to the Google server. This triggers the alert, but there is no
> attack.
This is a known issue with this rule. You can try this fix, which I have
proposed a while ago:
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS
(msg:"WEB-IIS %2E-asp access"; flow:to_server,established;
uricontent:".asp"; nocase; content:"%2Easp"; nocase;
pcre:"/^\s*[A-Z]+[ \t]+[^\s\?]*(?i)%2Easp\b/m";
reference:bugtraq,1814; reference:cve,CAN-1999-0253;
classtype:web-application-activity; sid:makeyourown; rev:makeyourown;)
Cheers,
nnposter
-------------------------------------------------------
The SF.Net email is sponsored by: Beat the post-holiday blues
Get a FREE limited edition SourceForge.net t-shirt from ThinkGeek.
It's fun and FREE -- well, almost....http://www.thinkgeek.com/sfshirt
_______________________________________________
Snort-sigs mailing list
Snort-sigs@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/snort-sigs
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic