Network Security: Detailed info on Re: [Snort-sigs] False Positive

Subject:	Re: [Snort-sigs] False Positive - WEB-PHP modules.php access
Date:	Fri, 02 Sep 2005 12:02:22 -0400

That is not a false positive. It is a positive positive for modules.php. You could call it a non-contextual but given that you are running PostNuke and it is in fact access to modules.php I wouldn't even say that it is a non contextual.

You should tune the rule out for this specific purpose or turn it off if you are confident modules.php has no issues that you are concerned about.

BassPlayer wrote:

If I'm not reporting this in the right way please educate me.

Rule:   WEB-PHP modules.php access

--
Sid:     1:2565

--
False Positives:

This rule seems to be generating false positives when users are accessing
my galllery that is embedded in postnuke. It seems to be reproducable.

Generated by BASE v1.1.4 (cheryl) on Fri, 02 Sep 2005 08:09:12 -0700

------------------------------------------------------------------------------
#(1 - 13) [2005-09-01 11:01:01] [bugtraq/9879] [snort/2565]  WEB-PHP
modules.php access
IPv4: 195.62.133.175 -> 209.237.15.226
      hlen=5 TOS=0 dlen=579 ID=41673 flags=0 offset=0 TTL=47 chksum=31790
TCP:  port=53837 -> dport: 80  flags=***AP*** seq=1400044823
      ack=4078808928 off=8 res=0 win=16022 urp=0 chksum=33820
      Options:
       #1 - NOP len=0
       #2 - NOP len=0
       #3 - TS len=8 data=77D38379020697EE
Payload:  length = 527

000 : 47 45 54 20 2F 6D 6F 64 75 6C 65 73 2E 70 68 70   GET /modules.php
010 : 3F 6F 70 3D 6D 6F 64 6C 6F 61 64 26 6E 61 6D 65   ?op=modload&name
020 : 3D 67 61 6C 6C 65 72 79 26 66 69 6C 65 3D 69 6E   =gallery&file=in
030 : 64 65 78 20 48 54 54 50 2F 31 2E 30 0D 0A 41 63   dex HTTP/1.0..Ac
040 : 63 65 70 74 3A 20 69 6D 61 67 65 2F 67 69 66 2C   cept: image/gif,
050 : 20 69 6D 61 67 65 2F 78 2D 78 62 69 74 6D 61 70    image/x-xbitmap
060 : 2C 20 69 6D 61 67 65 2F 6A 70 65 67 2C 20 69 6D   , image/jpeg, im
070 : 61 67 65 2F 70 6A 70 65 67 2C 20 61 70 70 6C 69   age/pjpeg, appli
080 : 63 61 74 69 6F 6E 2F 78 2D 73 68 6F 63 6B 77 61   cation/x-shockwa
090 : 76 65 2D 66 6C 61 73 68 2C 20 61 70 70 6C 69 63   ve-flash, applic
0a0 : 61 74 69 6F 6E 2F 78 2D 67 73 61 72 63 61 64 65   ation/x-gsarcade
0b0 : 2D 6C 61 75 6E 63 68 2C 20 2A 2F 2A 0D 0A 52 65   -launch, */*..Re
0c0 : 66 65 72 65 72 3A 20 68 74 74 70 3A 2F 2F 77 77   ferer: http://ww
0d0 : 77 2E 6D 65 6B 68 71 2E 63 6F 6D 2F 0D 0A 41 63   w.mekhq.com/..Ac
0e0 : 63 65 70 74 2D 4C 61 6E 67 75 61 67 65 3A 20 72   cept-Language: r
0f0 : 75 0D 0A 55 73 65 72 2D 41 67 65 6E 74 3A 20 4D   u..User-Agent: M
100 : 6F 7A 69 6C 6C 61 2F 34 2E 30 20 28 63 6F 6D 70   ozilla/4.0 (comp
110 : 61 74 69 62 6C 65 3B 20 4D 53 49 45 20 36 2E 30   atible; MSIE 6.0
120 : 3B 20 57 69 6E 64 6F 77 73 20 4E 54 20 35 2E 31   ; Windows NT 5.1
130 : 3B 20 53 56 31 29 0D 0A 48 6F 73 74 3A 20 77 77   ; SV1)..Host: ww
140 : 77 2E 6D 65 6B 68 71 2E 63 6F 6D 0D 0A 43 6F 6F   w.mekhq.com..Coo
150 : 6B 69 65 3A 20 50 4F 53 54 4E 55 4B 45 53 49 44   kie: POSTNUKESID
160 : 3D 63 31 36 64 37 31 30 63 65 64 33 61 65 35 32   =c16d710ced3ae52
170 : 38 31 32 37 36 33 31 65 35 65 62 61 63 37 34 63   8127631e5ebac74c
180 : 38 0D 0A 56 69 61 3A 20 31 2E 30 20 70 72 6F 78   8..Via: 1.0 prox
190 : 79 2E 67 72 61 76 69 73 6E 65 74 2E 6C 76 3A 38   y.gravisnet.lv:8
1a0 : 30 20 28 73 71 75 69 64 2F 32 2E 35 2E 53 54 41   0 (squid/2.5.STA
1b0 : 42 4C 45 37 29 0D 0A 58 2D 46 6F 72 77 61 72 64   BLE7)..X-Forward
1c0 : 65 64 2D 46 6F 72 3A 20 38 30 2E 39 30 2E 31 36   ed-For: 80.90.16
1d0 : 2E 31 38 37 0D 0A 43 61 63 68 65 2D 43 6F 6E 74   .187..Cache-Cont
1e0 : 72 6F 6C 3A 20 6D 61 78 2D 61 67 65 3D 32 35 39   rol: max-age=259
1f0 : 32 30 30 0D 0A 43 6F 6E 6E 65 63 74 69 6F 6E 3A   200..Connection:
200 : 20 6B 65 65 70 2D 61 6C 69 76 65 0D 0A 0D 0A       keep-alive....


-------------------------------------------------------
SF.Net email is Sponsored by the Better Software Conference & EXPO
September 19-22, 2005 * San Francisco, CA * Development Lifecycle Practices
Agile & Plan-Driven Development * Managing Projects & Teams * Testing & QA
Security * Process Improvement & Measurement * http://www.sqe.com/bsce5sf
_______________________________________________
Snort-sigs mailing list
Snort-sigs@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/snort-sigs

-------------------------------------------------------
SF.Net email is Sponsored by the Better Software Conference & EXPO
September 19-22, 2005 * San Francisco, CA * Development Lifecycle Practices
Agile & Plan-Driven Development * Managing Projects & Teams * Testing & QA
Security * Process Improvement & Measurement * http://www.sqe.com/bsce5sf
_______________________________________________
Snort-sigs mailing list
Snort-sigs@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/snort-sigs

<Prev in Thread]	Current Thread	[Next in Thread>
[Snort-sigs] False Positive - WEB-PHP modules.php access, BassPlayer Re: [Snort-sigs] False Positive - WEB-PHP modules.php access, Jason Brvenik <= Re: [Snort-sigs] False Positive - WEB-PHP modules.php access, BassPlayer Re: [Snort-sigs] False Positive - WEB-PHP modules.php access, Roger Suppona Re: [Snort-sigs] False Positive - WEB-PHP modules.php access, Roger Suppona

Previous by Date:	[Snort-sigs] False Positive - WEB-PHP modules.php access, BassPlayer
Next by Date:	[Snort-sigs] Bleedingsnort.com Daily Update, bleeding
Previous by Thread:	[Snort-sigs] False Positive - WEB-PHP modules.php access, BassPlayer
Next by Thread:	Re: [Snort-sigs] False Positive - WEB-PHP modules.php access, BassPlayer
Indexes:	[Date] [Thread] [Top] [All Lists]

Re: [Snort-sigs] False Positive - WEB-PHP modules.php access