[Snort-sigs] Pass rules for Exchange 2000 OWA
MCessna at ...153...
Tue Oct 23 08:51:06 EDT 2001
I am trying to write a pass rule for Exchange 2000 Outlook Web Access. The
problem is that the OWA connections keep tripping the web dav rules in the
web-misc rules files. I would like to keep the alerts active but pass the
The Webdav rule that keeps tripping is:
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 80 (msg:"WEB-MISC webdav search
access"; flags: A+; content: "SEARCH "; depth: 8;
nocase;reference:arachnids,474; classtype:bad-unknown; sid:1070; rev:1;)
I tried to use the following pass rule to ignore the OWA connections:
pass tcp $EXTERNAL_NET any -> $HTTP_SERVERS 80 (msg:"WEB-MISC webdav search
access by Exchange OWA connection"; flags: A+; content: "SEARCH /exchange";
depth: 8; nocase;reference:arachnids,474; classtype:bad-unknown; sid:1070;
This is a copy of the webdav rule except that I added the /exchange to the
content match. I just can't seem to see what I am doing wrong. Maybe I am
just on crack today :)
Any help would be greatly appreciated,
308 Lancaster Ave.
Wynnewood, PA 19096
mcessna at ...153...
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Snort-sigs