Shirkdog wrote:
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC
Invalid HTTP Version String"; flow:to_server,established; content:"HTTP/";
isdataat:6,relative; content:!"|0A|"; within:5; reference:bugtraq,9809;
reference:nessus,11593; classtype:non-standard-protocol; sid:2570; rev:6;)
<snip>
However, this rule will trigger if the string "HTTP/" is anywhere in the
packet.
This could take care of it in most cases:
pcre:"/^\w+ +\S+ +HTTP\/(?!([1-9]\d*)?\d\.([1-9]\d*)?\d$)/smi"
or
pcre:"/^\w+ +\S+ +HTTP\/(?!\d\.\d$)/smi"
The first one is fully RFC 2616 compliant while the second variant is tailored
towards commonly used versions. An extreme would be to list the typical
versions explicitly:
pcre:"/^\w+ +\S+ +HTTP\/(?!(0\.9|1\.[01])$)/smi"
So the full rule would be:
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS
(msg:"WEB-MISC Invalid HTTP Version String"; flow:to_server,established;
content:"HTTP/";
isdataat:6,relative;
content:!"|0A|"; within:5;
pcre:"--VERSION-CHECK-FROM-ABOVE--";
reference:bugtraq,9809; reference:nessus,11593;
classtype:non-standard-protocol; sid:2570; rev:7;)
Cheers,
nnposter
-------------------------------------------------------
This Newsletter Sponsored by: Macrovision
For reliable Linux application installations, use the industry's leading
setup authoring tool, InstallShield X. Learn more and evaluate
today. http://clk.atdmt.com/MSI/go/ins0030000001msi/direct/01/
_______________________________________________
Snort-sigs mailing list
Snort-sigs@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/snort-sigs
