I wasn't so much thinking of my application. I'm not to worried about
this happening. I was more concerned with improving the sig. This is a
pretty broad sig and the definition is listed as "no false positives
known". I have thousands of URLs here that trip it.
-----Original Message-----
From: snort-sigs-admin@lists.sourceforge.net
[mailto:snort-sigs-admin@lists.sourceforge.net] On Behalf Of Nigel
Houghton
Sent: Saturday, August 21, 2004 12:56 PM
To: snort-sigs@lists.sourceforge.net
Subject: Re: [Snort-sigs] SID 1344
On 0, James Ashton <james@vortechhosting.com> allegedly wrote:
I have been getting a lot of falses lately on SID:1344
And since the rule is looking for access to "cc" followed by a space,
you
will continue to get events when your customers use URIs like
http://www.turfcatering.com/hsc&cc menus.htm
Not sure what your best course of action might be here, stop using
spaces
in URIs (my first choice), turn the rule off (You're using FreeBSD on
the
server so there are many many things you can do to make sure you are not
affected by this issue) or create a pass rule maybe.
You're a hosting company right? So you'll already be running the
websites
you host in a Jail correct? You'll be using securelevel and chflags to
your
advantage too right? I would hope that no-one is able to access cc via a
URI on the hosted sites.
Here is todays Pcap.
47 45 54 20 2F 69 6D 61 67 65 73 2F 68 73 5F 70 GET /images/hs_p
68 6F 74 6F 5F 6E 69 67 68 74 6C 69 66 65 33 2E hoto_nightlife3.
6A 70 67 20 48 54 54 50 2F 31 2E 31 0D 0A 41 63 jpg HTTP/1.1..Ac
63 65 70 74 3A 20 2A 2F 2A 0D 0A 52 65 66 65 72 cept: */*..Refer
65 72 3A 20 68 74 74 70 3A 2F 2F 77 77 77 2E 74 er: http://www.t
75 72 66 63 61 74 65 72 69 6E 67 2E 63 6F 6D 2F urfcatering.com/
68 73 63 25 32 36 63 63 25 32 30 6D 65 6E 75 73 hsc%26cc%20menus
2E 68 74 6D 0D 0A 41 63 63 65 70 74 2D 4C 61 6E .htm..Accept-Lan
67 75 61 67 65 3A 20 65 6E 2D 75 73 0D 0A 41 63 guage: en-us..Ac
63 65 70 74 2D 45 6E 63 6F 64 69 6E 67 3A 20 67 cept-Encoding: g
7A 69 70 2C 20 64 65 66 6C 61 74 65 0D 0A 55 73 zip, deflate..Us
65 72 2D 41 67 65 6E 74 3A 20 4D 6F 7A 69 6C 6C er-Agent: Mozill
61 2F 34 2E 30 20 28 63 6F 6D 70 61 74 69 62 6C a/4.0 (compatibl
65 3B 20 4D 53 49 45 20 36 2E 30 3B 20 57 69 6E e; MSIE 6.0; Win
64 6F 77 73 20 4E 54 20 35 2E 31 29 0D 0A 48 6F dows NT 5.1)..Ho
73 74 3A 20 77 77 77 2E 74 75 72 66 63 61 74 65 st: www.turfcate
72 69 6E 67 2E 63 6F 6D 0D 0A 43 6F 6E 6E 65 63 ring.com..Connec
74 69 6F 6E 3A 20 4B 65 65 70 2D 41 6C 69 76 65 tion: Keep-Alive
0D 0A 0D 0A
+-----------------------------------------------------------------------
--+
Nigel Houghton Research Engineer Sourcefire Inc.
Vulnerability Research Team
"Dude, dolphins are intelligent and friendly!" - Wendy
"Intelligent and friendly on rye bread, with some mayonaise." -
Cartman
+-----------------------------------------------------------------------
--+
-------------------------------------------------------
SF.Net email is sponsored by Shop4tech.com-Lowest price on Blank Media
100pk Sonic DVD-R 4x for only $29 -100pk Sonic DVD+R for only $33
Save 50% off Retail on Ink & Toner - Free Shipping and Free Gift.
http://www.shop4tech.com/z/Inkjet_Cartridges/9_108_r285
_______________________________________________
Snort-sigs mailing list
Snort-sigs@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/snort-sigs
-------------------------------------------------------
SF.Net email is sponsored by Shop4tech.com-Lowest price on Blank Media
100pk Sonic DVD-R 4x for only $29 -100pk Sonic DVD+R for only $33
Save 50% off Retail on Ink & Toner - Free Shipping and Free Gift.
http://www.shop4tech.com/z/Inkjet_Cartridges/9_108_r285
_______________________________________________
Snort-sigs mailing list
Snort-sigs@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/snort-sigs
