If I'm not reporting this in the right way please educate me.
Rule: WEB-PHP modules.php access
--
Sid: 1:2565
--
False Positives:
This rule seems to be generating false positives when users are accessing
my galllery that is embedded in postnuke. It seems to be reproducable.
Generated by BASE v1.1.4 (cheryl) on Fri, 02 Sep 2005 08:09:12 -0700
------------------------------------------------------------------------------
#(1 - 13) [2005-09-01 11:01:01] [bugtraq/9879] [snort/2565] WEB-PHP
modules.php access
IPv4: 195.62.133.175 -> 209.237.15.226
hlen=5 TOS=0 dlen=579 ID=41673 flags=0 offset=0 TTL=47 chksum=31790
TCP: port=53837 -> dport: 80 flags=***AP*** seq=1400044823
ack=4078808928 off=8 res=0 win=16022 urp=0 chksum=33820
Options:
#1 - NOP len=0
#2 - NOP len=0
#3 - TS len=8 data=77D38379020697EE
Payload: length = 527
000 : 47 45 54 20 2F 6D 6F 64 75 6C 65 73 2E 70 68 70 GET /modules.php
010 : 3F 6F 70 3D 6D 6F 64 6C 6F 61 64 26 6E 61 6D 65 ?op=modload&name
020 : 3D 67 61 6C 6C 65 72 79 26 66 69 6C 65 3D 69 6E =gallery&file=in
030 : 64 65 78 20 48 54 54 50 2F 31 2E 30 0D 0A 41 63 dex HTTP/1.0..Ac
040 : 63 65 70 74 3A 20 69 6D 61 67 65 2F 67 69 66 2C cept: image/gif,
050 : 20 69 6D 61 67 65 2F 78 2D 78 62 69 74 6D 61 70 image/x-xbitmap
060 : 2C 20 69 6D 61 67 65 2F 6A 70 65 67 2C 20 69 6D , image/jpeg, im
070 : 61 67 65 2F 70 6A 70 65 67 2C 20 61 70 70 6C 69 age/pjpeg, appli
080 : 63 61 74 69 6F 6E 2F 78 2D 73 68 6F 63 6B 77 61 cation/x-shockwa
090 : 76 65 2D 66 6C 61 73 68 2C 20 61 70 70 6C 69 63 ve-flash, applic
0a0 : 61 74 69 6F 6E 2F 78 2D 67 73 61 72 63 61 64 65 ation/x-gsarcade
0b0 : 2D 6C 61 75 6E 63 68 2C 20 2A 2F 2A 0D 0A 52 65 -launch, */*..Re
0c0 : 66 65 72 65 72 3A 20 68 74 74 70 3A 2F 2F 77 77 ferer: http://ww
0d0 : 77 2E 6D 65 6B 68 71 2E 63 6F 6D 2F 0D 0A 41 63 w.mekhq.com/..Ac
0e0 : 63 65 70 74 2D 4C 61 6E 67 75 61 67 65 3A 20 72 cept-Language: r
0f0 : 75 0D 0A 55 73 65 72 2D 41 67 65 6E 74 3A 20 4D u..User-Agent: M
100 : 6F 7A 69 6C 6C 61 2F 34 2E 30 20 28 63 6F 6D 70 ozilla/4.0 (comp
110 : 61 74 69 62 6C 65 3B 20 4D 53 49 45 20 36 2E 30 atible; MSIE 6.0
120 : 3B 20 57 69 6E 64 6F 77 73 20 4E 54 20 35 2E 31 ; Windows NT 5.1
130 : 3B 20 53 56 31 29 0D 0A 48 6F 73 74 3A 20 77 77 ; SV1)..Host: ww
140 : 77 2E 6D 65 6B 68 71 2E 63 6F 6D 0D 0A 43 6F 6F w.mekhq.com..Coo
150 : 6B 69 65 3A 20 50 4F 53 54 4E 55 4B 45 53 49 44 kie: POSTNUKESID
160 : 3D 63 31 36 64 37 31 30 63 65 64 33 61 65 35 32 =c16d710ced3ae52
170 : 38 31 32 37 36 33 31 65 35 65 62 61 63 37 34 63 8127631e5ebac74c
180 : 38 0D 0A 56 69 61 3A 20 31 2E 30 20 70 72 6F 78 8..Via: 1.0 prox
190 : 79 2E 67 72 61 76 69 73 6E 65 74 2E 6C 76 3A 38 y.gravisnet.lv:8
1a0 : 30 20 28 73 71 75 69 64 2F 32 2E 35 2E 53 54 41 0 (squid/2.5.STA
1b0 : 42 4C 45 37 29 0D 0A 58 2D 46 6F 72 77 61 72 64 BLE7)..X-Forward
1c0 : 65 64 2D 46 6F 72 3A 20 38 30 2E 39 30 2E 31 36 ed-For: 80.90.16
1d0 : 2E 31 38 37 0D 0A 43 61 63 68 65 2D 43 6F 6E 74 .187..Cache-Cont
1e0 : 72 6F 6C 3A 20 6D 61 78 2D 61 67 65 3D 32 35 39 rol: max-age=259
1f0 : 32 30 30 0D 0A 43 6F 6E 6E 65 63 74 69 6F 6E 3A 200..Connection:
200 : 20 6B 65 65 70 2D 61 6C 69 76 65 0D 0A 0D 0A keep-alive....
-------------------------------------------------------
SF.Net email is Sponsored by the Better Software Conference & EXPO
September 19-22, 2005 * San Francisco, CA * Development Lifecycle Practices
Agile & Plan-Driven Development * Managing Projects & Teams * Testing & QA
Security * Process Improvement & Measurement * http://www.sqe.com/bsce5sf
_______________________________________________
Snort-sigs mailing list
Snort-sigs@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/snort-sigs
