[Snort-sigs] False positive - sid:1333

/usr/local/share/snort/web-attacks.rules:alert tcp $EXTERNAL_NET any -> 
$HTTP_SERVERS $HTTP_PORTS (msg:"WEB-ATTACKS id command attempt"; 
flow:to_server,established; content:"|3B|id"; nocase; 
classtype:web-application-attack; sid:1333; rev:6;)

This is a bit of a mystery.  I can't find the string ";id" anywhere in the 
packet.

length = 599

000 : 47 45 54 20 2F 77 65 62 2D 63 74 2F 65 6E 38 2F   GET /web-ct/en8/
010 : 69 6D 67 2F 73 6D 61 6C 6C 5F 75 6E 72 65 61 64   img/small_unread
020 : 5F 6D 65 73 73 61 67 65 73 2E 67 69 66 20 48 54   _messages.gif HT
030 : 54 50 2F 31 2E 31 0D 0A 41 63 63 65 70 74 3A 20   TP/1.1..Accept:
040 : 2A 2F 2A 0D 0A 52 65 66 65 72 65 72 3A 20 68 74   */*..Referer: ht
050 : 74 70 3A 2F 2F 77 65 62 63 74 2E 75 74 64 61 6C   tp://webct.utdal
060 : 6C 61 73 2E 65 64 75 2F 53 43 52 49 50 54 2F 31   las.edu/SCRIPT/1
070 : 30 36 37 38 32 30 30 35 53 2F 73 63 72 69 70 74   06782005S/script
080 : 73 2F 73 74 75 64 65 6E 74 2F 73 65 72 76 65 5F   s/student/serve_
090 : 62 75 6C 6C 65 74 69 6E 3F 41 43 54 49 4F 4E 3D   bulletin?ACTION=
0a0 : 4C 49 53 54 26 41 52 47 31 3D 4D 61 69 6E 26 50   LIST&ARG1=Main&P
0b0 : 41 47 45 3D 30 0D 0A 41 63 63 65 70 74 2D 4C 61   AGE=0..Accept-La
0c0 : 6E 67 75 61 67 65 3A 20 65 6E 2D 75 73 0D 0A 41   nguage: en-us..A
0d0 : 63 63 65 70 74 2D 45 6E 63 6F 64 69 6E 67 3A 20   ccept-Encoding:
0e0 : 67 7A 69 70 2C 20 64 65 66 6C 61 74 65 0D 0A 49   gzip, deflate..I
0f0 : 66 2D 4D 6F 64 69 66 69 65 64 2D 53 69 6E 63 65   f-Modified-Since
100 : 3A 20 46 72 69 2C 20 32 35 20 4A 75 6C 20 32 30   : Fri, 25 Jul 20
110 : 30 33 20 32 33 3A 32 34 3A 35 36 20 47 4D 54 0D   03 23:24:56 GMT.
120 : 0A 49 66 2D 4E 6F 6E 65 2D 4D 61 74 63 68 3A 20   .If-None-Match:
130 : 22 32 31 32 62 64 64 2D 38 62 2D 38 33 33 31 61   "212bdd-8b-8331a
140 : 32 30 30 22 0D 0A 55 73 65 72 2D 41 67 65 6E 74   200"..User-Agent
150 : 3A 20 4D 6F 7A 69 6C 6C 61 2F 34 2E 30 20 28 63   : Mozilla/4.0 (c
160 : 6F 6D 70 61 74 69 62 6C 65 3B 20 4D 53 49 45 20   ompatible; MSIE
170 : 36 2E 30 3B 20 57 69 6E 64 6F 77 73 20 4E 54 20   6.0; Windows NT
180 : 35 2E 31 3B 20 53 56 31 3B 20 2E 4E 45 54 20 43   5.1; SV1; .NET C
190 : 4C 52 20 31 2E 31 2E 34 33 32 32 29 0D 0A 48 6F   LR 1.1.4322)..Ho
1a0 : 73 74 3A 20 77 65 62 63 74 2E 75 74 64 61 6C 6C   st: webct.utdall
1b0 : 61 73 2E 65 64 75 0D 0A 43 6F 6E 6E 65 63 74 69   as.edu..Connecti
1c0 : 6F 6E 3A 20 4B 65 65 70 2D 41 6C 69 76 65 0D 0A   on: Keep-Alive..
1d0 : 43 6F 6F 6B 69 65 3A 20 57 65 62 43 54 54 69 63   Cookie: WebCTTic

removed 1e0 through 200 because it was a username/password combo

210 : 48 58 4D 25 32 36 65 78 70 69 72 79 25 33 44 31   HXM%26expiry%3D1
220 : 31 31 30 38 34 37 37 39 36 25 32 36 68 61 73 68   110847796%26hash
230 : 25 33 44 36 61 35 66 33 64 36 31 61 32 64 36 62   %3D6a5f3d61a2d6b
240 : 61 62 62 61 65 64 63 34 65 32 33 64 66 66 61 35   abbaedc4e23dffa5
250 : 63 66 36 0D 0A 0D 0A                              cf6....

I don't know what this alert is triggering on.  If it was in hex, it would 
be |3B 69 64|, but I don't see that anywhere either.  There are four 3Bs 
(;), but none are followed by 69 (i).  So what the heck is this thing 
triggering on?

Paul Schmehl (pauls@utdallas.edu)
Adjunct Information Security Officer
The University of Texas at Dallas
AVIEN Founding Member
http://www.utdallas.edu


-------------------------------------------------------
SF email is sponsored by - The IT Product Guide
Read honest & candid reviews on hundreds of IT Products from real users.
Discover which products truly live up to the hype. Start reading now.
http://ads.osdn.com/?ad_id=6595&alloc_id=14396&op=click
_______________________________________________
Snort-sigs mailing list
Snort-sigs@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/snort-sigs