Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Snort-Signatures
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: [Snort-sigs] False positive with Nagios check_http

from [Frank Knobbe] Network Security [Permanent Link]
Subject: Re: [Snort-sigs] False positive with Nagios check_http
Date: Mon, 07 Feb 2005 11:55:28 -0600 
On Mon, 2005-02-07 at 11:52 +0100, Carsten Schmitz wrote:

I keep getting the alert below from the office box running Nagios 1.2
checking my home web site (where Snort lives). Not sure if this is a false
positive, maybe the plugin violates some standard?

Rule: nessus[bugtraq][snort] WEB-MISC Invalid HTTP Version String
Detailed Information:
000 : 47 45 54 20 2F 20 48 54 54 50 2F 31 2E 30 0D 0A   GET / HTTP/1.0..
010 : 55 73 65 72 2D 41 67 65 6E 74 3A 20 63 68 65 63   User-Agent: chec
020 : 6B 5F 68 74 74 70 2F 31 2E 35 34 20 28 6E 61 67   k_http/1.54 (nag
030 : 69 6F 73 2D 70 6C 75 67 69 6E 73 20 31 2E 34 2E   ios-plugins 1.4.
040 : 30 61 6C 70 68 61 31 29 0D 0A 48 6F 73 74 3A 20   0alpha1)..Host:
050 : 32 31 33 2E 38 34 2E 31 39 32 2E 37 33 0D 0A 0D   xxx.xx.xxx.xx...
060 : 0A                                                .


Rule Detail:
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC
Invalid HTTP Version String"; flow:to_server,established;
content:"HTTP/"; nocase; isdataat:6,relative; content:!"|0A|"; within:5;
reference:bugtraq,9809; reference:nessus,11593;
classtype:non-standard-protocol; sid:2570; rev:7;)


Nope, it does what it is supposed to do. It looks for HTTP/ and checks
if there is a LF within 5 bytes. 

In your packet it matched on the "http/" in "check_http/1.54" but of
course doesn't see a LF within 5 bytes (where it says "(nagios-plugins).


A proposed solution might be to look for " HTTP/" since the user agent
doesn't contain a space and (iirc) the HTTP spec defines a space before
HTTP/x.x.

Regards,
Frank

Attachment: signature.asc
Description: This is a digitally signed message part

[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  [Snort-sigs] snort usage, s a
Next by Date:  [Snort-sigs] http post on port 25, hans
Previous by Thread:  [Snort-sigs] False positive with Nagios check_http, Carsten Schmitz
Next by Thread:  [Snort-sigs] http post on port 25, hans
Indexes:  [Date] [Thread] [Top] [All Lists]