[Snort-sigs] Case-sensitivity in 2570.6 (WEB-MISC Invalid HTTP Version String)

Rule:  WEB-MISC Invalid HTTP Version String

--
Sid: 2570

--
False Negatives:
Current version of the rule incorrectly assumes specific HTTP version
capitalization.

See http://www.faqs.org/rfcs/rfc2616.html


I am proposing to add "nocase" to the first content clause:

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS 
(msg:"WEB-MISC Invalid HTTP Version String"; flow:to_server,established; 
content:"HTTP/"; nocase; isdataat:6,relative; content:!"|0A|"; within:5; 
reference:bugtraq,9809; reference:nessus,11593; 
classtype:non-standard-protocol; sid:2570; rev:7;)


-------------------------------------------------------
This SF.Net email is sponsored by: InterSystems CACHE
FREE OODBMS DOWNLOAD - A multidimensional database that combines
robust object and relational technologies, making it a perfect match
for Java, C++,COM, XML, ODBC and JDBC. www.intersystems.com/match8
_______________________________________________
Snort-sigs mailing list
Snort-sigs@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/snort-sigs