[prev in list] [next in list] [prev in thread] [next in thread] 

List:       snort-sigs
Subject:    Re: [Snort-sigs] False Positive
From:       nnposter () users ! sourceforge ! net
Date:       2005-01-18 21:37:13
Message-ID: 972.1.4 ()  () users ! sourceforge ! net
[Download RAW message or body]

fmonkey@fmonkey.net wrote:
> Rule:  WEB-IIS %2E-asp access
> --
> Sid: 972
> --
> Summary:  Google toolbar encodes period when checking on updates to web
> pages.
> --
> Impact: N/A
> 
> --
> Detailed Information:  It appears the Google toolbar checks for the
> "freshness" of a page, and encodes the URL of the page as part of the
> request to the Google server.  This triggers the alert, but there is no
> attack.

This is a known issue with this rule. You can try this fix, which I have 
proposed a while ago:

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS 
(msg:"WEB-IIS %2E-asp access"; flow:to_server,established; 
uricontent:".asp"; nocase; content:"%2Easp"; nocase; 
pcre:"/^\s*[A-Z]+[ \t]+[^\s\?]*(?i)%2Easp\b/m"; 
reference:bugtraq,1814; reference:cve,CAN-1999-0253; 
classtype:web-application-activity; sid:makeyourown; rev:makeyourown;)

Cheers,
nnposter


-------------------------------------------------------
The SF.Net email is sponsored by: Beat the post-holiday blues
Get a FREE limited edition SourceForge.net t-shirt from ThinkGeek.
It's fun and FREE -- well, almost....http://www.thinkgeek.com/sfshirt
_______________________________________________
Snort-sigs mailing list
Snort-sigs@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/snort-sigs
[prev in list] [next in list] [prev in thread] [next in thread]