Re: [Snort-sigs] SID 1344

On  0, James Ashton <james@vortechhosting.com> allegedly wrote:
> I have been getting a lot of falses lately on SID:1344

And since the rule is looking for access to "cc" followed by a space, you
will continue to get events when your customers use URIs like

 http://www.turfcatering.com/hsc&cc menus.htm

Not sure what your best course of action might be here, stop using spaces
in URIs (my first choice), turn the rule off (You're using FreeBSD on the
server so there are many many things you can do to make sure you are not
affected by this issue) or create a pass rule maybe.

You're a hosting company right? So you'll already be running the websites
you host in a Jail correct? You'll be using securelevel and chflags to your
advantage too right? I would hope that no-one is able to access cc via a
URI on the hosted sites.

> Here is todays Pcap.
>
>
> 47 45 54 20 2F 69 6D 61 67 65 73 2F 68 73 5F 70       GET /images/hs_p
> 68 6F 74 6F 5F 6E 69 67 68 74 6C 69 66 65 33 2E       hoto_nightlife3.
> 6A 70 67 20 48 54 54 50 2F 31 2E 31 0D 0A 41 63       jpg HTTP/1.1..Ac
> 63 65 70 74 3A 20 2A 2F 2A 0D 0A 52 65 66 65 72       cept: */*..Refer
> 65 72 3A 20 68 74 74 70 3A 2F 2F 77 77 77 2E 74       er: http://www.t
> 75 72 66 63 61 74 65 72 69 6E 67 2E 63 6F 6D 2F       urfcatering.com/
> 68 73 63 25 32 36 63 63 25 32 30 6D 65 6E 75 73       hsc%26cc%20menus
> 2E 68 74 6D 0D 0A 41 63 63 65 70 74 2D 4C 61 6E       .htm..Accept-Lan
> 67 75 61 67 65 3A 20 65 6E 2D 75 73 0D 0A 41 63       guage: en-us..Ac
> 63 65 70 74 2D 45 6E 63 6F 64 69 6E 67 3A 20 67       cept-Encoding: g
> 7A 69 70 2C 20 64 65 66 6C 61 74 65 0D 0A 55 73       zip, deflate..Us
> 65 72 2D 41 67 65 6E 74 3A 20 4D 6F 7A 69 6C 6C       er-Agent: Mozill
> 61 2F 34 2E 30 20 28 63 6F 6D 70 61 74 69 62 6C       a/4.0 (compatibl
> 65 3B 20 4D 53 49 45 20 36 2E 30 3B 20 57 69 6E       e; MSIE 6.0; Win
> 64 6F 77 73 20 4E 54 20 35 2E 31 29 0D 0A 48 6F       dows NT 5.1)..Ho
> 73 74 3A 20 77 77 77 2E 74 75 72 66 63 61 74 65       st: www.turfcate
> 72 69 6E 67 2E 63 6F 6D 0D 0A 43 6F 6E 6E 65 63       ring.com..Connec
> 74 69 6F 6E 3A 20 4B 65 65 70 2D 41 6C 69 76 65       tion: Keep-Alive
> 0D 0A 0D 0A    
 
 
+-------------------------------------------------------------------------+
       Nigel Houghton       Research Engineer        Sourcefire Inc.
                       Vulnerability Research Team
                                                                         
  "Dude, dolphins are intelligent and friendly!" - Wendy
  "Intelligent and friendly on rye bread, with some mayonaise." - Cartman
+-------------------------------------------------------------------------+


-------------------------------------------------------
SF.Net email is sponsored by Shop4tech.com-Lowest price on Blank Media
100pk Sonic DVD-R 4x for only $29 -100pk Sonic DVD+R for only $33
Save 50% off Retail on Ink & Toner - Free Shipping and Free Gift.
http://www.shop4tech.com/z/Inkjet_Cartridges/9_108_r285
_______________________________________________
Snort-sigs mailing list
Snort-sigs@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/snort-sigs