[Snort-sigs] Pass rules for Exchange 2000 OWA

Cessna, Michael MCessna at ...153...
Tue Oct 23 08:51:06 EDT 2001


Hello all,
I am trying to write a pass rule for Exchange 2000 Outlook Web Access. The
problem is that the OWA connections keep tripping the web dav rules in the
web-misc rules files. I would like to keep the alerts active but pass the
OWA connections.
The Webdav rule that keeps tripping is:
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 80 (msg:"WEB-MISC webdav search
access"; flags: A+; content: "SEARCH "; depth: 8;
nocase;reference:arachnids,474; classtype:bad-unknown; sid:1070; rev:1;)

I tried to use the following pass rule to ignore the OWA connections:
pass tcp $EXTERNAL_NET any -> $HTTP_SERVERS 80 (msg:"WEB-MISC webdav search
access by Exchange OWA connection"; flags: A+; content: "SEARCH /exchange";
depth: 8; nocase;reference:arachnids,474; classtype:bad-unknown; sid:1070;
rev:1;)

This is a copy of the webdav rule except that I added the /exchange to the
content match. I just can't seem to see what I am doing wrong. Maybe I am
just on crack today :)
Any help would be greatly appreciated,

Michael Cessna
Network Engineer
RealTime Media
308 Lancaster Ave.
Wynnewood, PA 19096
p.610-896-9400 x308
f.610-896-9416
mcessna at ...153...
www.realtimemedia.com
www.rtm.com

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-sigs/attachments/20011023/fc515793/attachment.html>


More information about the Snort-sigs mailing list