Network Security: Detailed info on [Snort-sigs] False positive for SID 3550

Subject:	[Snort-sigs] False positive for SID 3550
Date:	Thu, 13 Oct 2005 09:37:31 -0500

Rule: alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any
(msg:"WEB-CLIENT HTML http scheme hostname overflow attempt";
flow:to_client,established; content:"http|3A|//"; nocase;
pcre:"/=\s*[\x22\x27]?http\x3a\/\/([^\x3a\x2f@\s]{255}|[^@]*@[^\x3a\x2f@\s]{255})/i";
reference:cve,2005-0553; classtype:attempted-user; sid:3550; rev:3;)

--
Sid: 3550

--
Summary: None

--
Impact:

--
Detailed Information:

--
Affected Systems:

--
Attack Scenarios:

--
Ease of Attack:

--
False Positives:
IPv4: 216.155.194.191 -> 209.98.197.141
      hlen=5 TOS=0 dlen=725 ID=30088 flags=0 offset=0 TTL=49 chksum=40783
TCP:  port=80 -> dport: 16599  flags=***AP*** seq=4138758912
      ack=3829966329 off=8 res=0 win=33304 urp=0 chksum=26396
      Options:
       #1 - NOP len=0
       #2 - NOP len=0
       #3 - TS len=8 data=3C97F4BEF6418288
Payload:  length = 673

000 : 48 54 54 50 2F 31 2E 30 20 32 30 30 20 4F 4B 0D   HTTP/1.0 200 OK.
010 : 0A 44 61 74 65 3A 20 54 68 75 2C 20 31 33 20 4F   .Date: Thu, 13 O
020 : 63 74 20 32 30 30 35 20 31 33 3A 35 39 3A 34 35   ct 2005 13:59:45
030 : 20 47 4D 54 0D 0A 50 33 50 3A 20 70 6F 6C 69 63    GMT..P3P: polic
040 : 79 72 65 66 3D 22 68 74 74 70 3A 2F 2F 70 33 70   yref="http://p3p
050 : 2E 79 61 68 6F 6F 2E 63 6F 6D 2F 77 33 63 2F 70   .yahoo.com/w3c/p
060 : 33 70 2E 78 6D 6C 22 2C 20 43 50 3D 22 43 41 4F   3p.xml", CP="CAO
070 : 20 44 53 50 20 43 4F 52 20 43 55 52 20 41 44 4D    DSP COR CUR ADM
080 : 20 44 45 56 20 54 41 49 20 50 53 41 20 50 53 44    DEV TAI PSA PSD
090 : 20 49 56 41 69 20 49 56 44 69 20 43 4F 4E 69 20    IVAi IVDi CONi
0a0 : 54 45 4C 6F 20 4F 54 50 69 20 4F 55 52 20 44 45   TELo OTPi OUR DE
0b0 : 4C 69 20 53 41 4D 69 20 4F 54 52 69 20 55 4E 52   Li SAMi OTRi UNR
0c0 : 69 20 50 55 42 69 20 49 4E 44 20 50 48 59 20 4F   i PUBi IND PHY O
0d0 : 4E 4C 20 55 4E 49 20 50 55 52 20 46 49 4E 20 43   NL UNI PUR FIN C
0e0 : 4F 4D 20 4E 41 56 20 49 4E 54 20 44 45 4D 20 43   OM NAV INT DEM C
0f0 : 4E 54 20 53 54 41 20 50 4F 4C 20 48 45 41 20 50   NT STA POL HEA P
100 : 52 45 20 47 4F 56 22 0D 0A 43 6F 6E 6E 65 63 74   RE GOV"..Connect
110 : 69 6F 6E 3A 20 63 6C 6F 73 65 0D 0A 43 6F 6E 74   ion: close..Cont
120 : 65 6E 74 2D 54 79 70 65 3A 20 74 65 78 74 2F 70   ent-Type: text/p
130 : 6C 61 69 6E 0D 0A 0D 0A 01 00 00 00 59 4D 53 47   lain........YMSG
140 : 49 4C 5F 4E 01 51 00 0A 00 00 00 00 7A 40 00 00   IL_N.Q......z@..
150 : 38 C0 80 33 C0 80 37 C0 80 6F 74 74 65 5F 6A 65   8..3..7..otte_je
160 : 6E 6E 69 66 65 72 C0 80 31 30 C0 80 30 C0 80 31   nnifer..10..0..1
170 : 33 C0 80 31 C0 80 36 30 C0 80 C0 80 31 33 38 C0   3..1..60....138.
180 : 80 31 C0 80 31 38 34 C0 80 C0 80 31 39 32 C0 80   .1..184....192..
190 : 2D 31 C0 80 31 30 30 30 31 C0 80 C0 80 32 34 34   -1..10001....244
1a0 : C0 80 32 37 38 35 32 37 C0 80 31 30 30 30 32 C0   ..278527..10002.
1b0 : 80 30 C0 80 31 39 38 C0 80 30 C0 80 32 31 33 C0   .0..198..0..213.
1c0 : 80 30 C0 80 37 C0 80 6C 72 69 63 6B 65 74 74 73   .0..7..lricketts
1d0 : 37 37 37 C0 80 31 30 C0 80 39 39 39 C0 80 31 33   777..10..999..13
1e0 : C0 80 31 C0 80 36 30 C0 80 C0 80 31 33 37 C0 80   ..1..60....137..
1f0 : 35 33 31 32 30 C0 80 31 38 34 C0 80 C0 80 31 39   53120..184....19
200 : 32 C0 80 32 30 32 39 39 34 39 39 32 32 C0 80 31   2..2029949922..1
210 : 30 30 30 31 C0 80 C0 80 32 34 34 C0 80 35 32 34   0001....244..524
220 : 32 32 33 C0 80 31 30 30 30 32 C0 80 30 C0 80 31   223..10002..0..1
230 : 39 38 C0 80 30 C0 80 32 31 33 C0 80 30 C0 80 37   98..0..213..0..7
240 : C0 80 67 72 65 67 6E 65 65 73 65 72 C0 80 31 30   ..gregneeser..10
250 : C0 80 30 C0 80 31 33 C0 80 31 C0 80 36 30 C0 80   ..0..13..1..60..
260 : C0 80 31 33 38 C0 80 31 C0 80 31 38 34 C0 80 C0   ..138..1..184...
270 : 80 31 30 30 30 31 C0 80 C0 80 32 34 34 C0 80 32   .10001....244..2
280 : 37 38 35 32 37 C0 80 31 30 30 30 32 C0 80 30 C0   78527..10002..0.
290 : 80 31 39 38 C0 80 30 C0 80 32 31 33 C0 80 30 C0   .198..0..213..0.
2a0 : 80                                                .


--
False Negatives:

--
Corrective Action:

--
Contributors:

-- 
Additional References:



-------------------------------------------------------
This SF.Net email is sponsored by:
Power Architecture Resource Center: Free content, downloads, discussions,
and more. http://solutions.newsforge.com/ibmarch.tmpl
_______________________________________________
Snort-sigs mailing list
Snort-sigs@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/snort-sigs

<Prev in Thread]	Current Thread	[Next in Thread>
[Snort-sigs] False positive for SID 3550, G. Panula <=

Previous by Date:	RE: [Snort-sigs] Snort conf file, U.Chandrasekar
Next by Date:	RE: [Snort-sigs] Snort conf file, Paul Schmehl
Previous by Thread:	[Snort-sigs] false positive for DOUBLE DECODING ATTACK, Wolfgang Rohdewald
Next by Thread:	[Snort-sigs] Fixes and Mitigation Instructions Available for Snort Back Orifice Vulnerability, Jennifer Steffens
Indexes:	[Date] [Thread] [Top] [All Lists]