Sorry for the message. I replied to the wrong one.
Roger
On Sep 6, 2005, at 8:22 AM, BassPlayer wrote:
Thanks. Instead of turning off the rule I've rewrote guardian to
ignore a
user defined list of sids.
Jason Brvenik wrote:
> That is not a false positive. It is a positive positive for
modules.php.
> You could call it a non-contextual but given that you are running
> PostNuke and it is in fact access to modules.php I wouldn't even say
> that it is a non contextual.
>
> You should tune the rule out for this specific purpose or turn it
off if
> you are confident modules.php has no issues that you are concerned
about.
>
>
>
> BassPlayer wrote:
>> If I'm not reporting this in the right way please educate me.
>>
>> Rule: WEB-PHP modules.php access
>>
>> --
>> Sid: 1:2565
>>
>> --
>> False Positives:
>>
>> This rule seems to be generating false positives when users are
>> accessing
>> my galllery that is embedded in postnuke. It seems to be
reproducable.
>>
>> Generated by BASE v1.1.4 (cheryl) on Fri, 02 Sep 2005 08:09:12
-0700
>>
>>
-----------------------------------------------------------------------
-------
>> #(1 - 13) [2005-09-01 11:01:01] [bugtraq/9879] [snort/2565]
WEB-PHP
>> modules.php access
>> IPv4: 195.62.133.175 -> 209.237.15.226
>> hlen=5 TOS=0 dlen=579 ID=41673 flags=0 offset=0 TTL=47
>> chksum=31790
>> TCP: port=53837 -> dport: 80 flags=***AP*** seq=1400044823
>> ack=4078808928 off=8 res=0 win=16022 urp=0 chksum=33820
>> Options:
>> #1 - NOP len=0
>> #2 - NOP len=0
>> #3 - TS len=8 data=77D38379020697EE
>> Payload: length = 527
>>
>> 000 : 47 45 54 20 2F 6D 6F 64 75 6C 65 73 2E 70 68 70 GET
/modules.php
>> 010 : 3F 6F 70 3D 6D 6F 64 6C 6F 61 64 26 6E 61 6D 65
?op=modload&name
>> 020 : 3D 67 61 6C 6C 65 72 79 26 66 69 6C 65 3D 69 6E
=gallery&file=in
>> 030 : 64 65 78 20 48 54 54 50 2F 31 2E 30 0D 0A 41 63 dex
HTTP/1.0..Ac
>> 040 : 63 65 70 74 3A 20 69 6D 61 67 65 2F 67 69 66 2C cept:
image/gif,
>> 050 : 20 69 6D 61 67 65 2F 78 2D 78 62 69 74 6D 61 70
image/x-xbitmap
>> 060 : 2C 20 69 6D 61 67 65 2F 6A 70 65 67 2C 20 69 6D ,
image/jpeg, im
>> 070 : 61 67 65 2F 70 6A 70 65 67 2C 20 61 70 70 6C 69 age/pjpeg,
appli
>> 080 : 63 61 74 69 6F 6E 2F 78 2D 73 68 6F 63 6B 77 61
cation/x-shockwa
>> 090 : 76 65 2D 66 6C 61 73 68 2C 20 61 70 70 6C 69 63 ve-flash,
applic
>> 0a0 : 61 74 69 6F 6E 2F 78 2D 67 73 61 72 63 61 64 65
ation/x-gsarcade
>> 0b0 : 2D 6C 61 75 6E 63 68 2C 20 2A 2F 2A 0D 0A 52 65 -launch,
*/*..Re
>> 0c0 : 66 65 72 65 72 3A 20 68 74 74 70 3A 2F 2F 77 77 ferer:
http://ww
>> 0d0 : 77 2E 6D 65 6B 68 71 2E 63 6F 6D 2F 0D 0A 41 63
w.mekhq.com/..Ac
>> 0e0 : 63 65 70 74 2D 4C 61 6E 67 75 61 67 65 3A 20 72
cept-Language: r
>> 0f0 : 75 0D 0A 55 73 65 72 2D 41 67 65 6E 74 3A 20 4D
u..User-Agent: M
>> 100 : 6F 7A 69 6C 6C 61 2F 34 2E 30 20 28 63 6F 6D 70 ozilla/4.0
(comp
>> 110 : 61 74 69 62 6C 65 3B 20 4D 53 49 45 20 36 2E 30 atible;
MSIE 6.0
>> 120 : 3B 20 57 69 6E 64 6F 77 73 20 4E 54 20 35 2E 31 ; Windows
NT 5.1
>> 130 : 3B 20 53 56 31 29 0D 0A 48 6F 73 74 3A 20 77 77 ;
SV1)..Host: ww
>> 140 : 77 2E 6D 65 6B 68 71 2E 63 6F 6D 0D 0A 43 6F 6F
w.mekhq.com..Coo
>> 150 : 6B 69 65 3A 20 50 4F 53 54 4E 55 4B 45 53 49 44 kie:
POSTNUKESID
>> 160 : 3D 63 31 36 64 37 31 30 63 65 64 33 61 65 35 32
=c16d710ced3ae52
>> 170 : 38 31 32 37 36 33 31 65 35 65 62 61 63 37 34 63
8127631e5ebac74c
>> 180 : 38 0D 0A 56 69 61 3A 20 31 2E 30 20 70 72 6F 78 8..Via:
1.0 prox
>> 190 : 79 2E 67 72 61 76 69 73 6E 65 74 2E 6C 76 3A 38
y.gravisnet.lv:8
>> 1a0 : 30 20 28 73 71 75 69 64 2F 32 2E 35 2E 53 54 41 0
(squid/2.5.STA
>> 1b0 : 42 4C 45 37 29 0D 0A 58 2D 46 6F 72 77 61 72 64
BLE7)..X-Forward
>> 1c0 : 65 64 2D 46 6F 72 3A 20 38 30 2E 39 30 2E 31 36 ed-For:
80.90.16
>> 1d0 : 2E 31 38 37 0D 0A 43 61 63 68 65 2D 43 6F 6E 74
.187..Cache-Cont
>> 1e0 : 72 6F 6C 3A 20 6D 61 78 2D 61 67 65 3D 32 35 39 rol:
max-age=259
>> 1f0 : 32 30 30 0D 0A 43 6F 6E 6E 65 63 74 69 6F 6E 3A
200..Connection:
>> 200 : 20 6B 65 65 70 2D 61 6C 69 76 65 0D 0A 0D 0A
keep-alive....
>>
>>
>> -------------------------------------------------------
>> SF.Net email is Sponsored by the Better Software Conference & EXPO
>> September 19-22, 2005 * San Francisco, CA * Development Lifecycle
>> Practices
>> Agile & Plan-Driven Development * Managing Projects & Teams *
Testing &
>> QA
>> Security * Process Improvement & Measurement *
>> http://www.sqe.com/bsce5sf
>> _______________________________________________
>> Snort-sigs mailing list
>> Snort-sigs@lists.sourceforge.net
>> https://lists.sourceforge.net/lists/listinfo/snort-sigs
>>
>
>
> -------------------------------------------------------
> SF.Net email is Sponsored by the Better Software Conference & EXPO
> September 19-22, 2005 * San Francisco, CA * Development Lifecycle
> Practices
> Agile & Plan-Driven Development * Managing Projects & Teams *
Testing & QA
> Security * Process Improvement & Measurement *
http://www.sqe.com/bsce5sf
> _______________________________________________
> Snort-sigs mailing list
> Snort-sigs@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/snort-sigs
>
> !DSPAM:43187c15158615168158879!
>
-------------------------------------------------------
SF.Net email is Sponsored by the Better Software Conference & EXPO
September 19-22, 2005 * San Francisco, CA * Development Lifecycle
Practices
Agile & Plan-Driven Development * Managing Projects & Teams * Testing
& QA
Security * Process Improvement & Measurement *
http://www.sqe.com/bsce5sf
_______________________________________________
Snort-sigs mailing list
Snort-sigs@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/snort-sigs
-------------------------------------------------------
SF.Net email is Sponsored by the Better Software Conference & EXPO
September 19-22, 2005 * San Francisco, CA * Development Lifecycle Practices
Agile & Plan-Driven Development * Managing Projects & Teams * Testing & QA
Security * Process Improvement & Measurement * http://www.sqe.com/bsce5sf
_______________________________________________
Snort-sigs mailing list
Snort-sigs@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/snort-sigs
