[Snort-sigs] error

Don Don at ...613...
Tue Jun 4 15:10:05 EDT 2002


I'm trying to get information to u for a possible false positive on the
foolowing rules under web-misc

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 80 (msg:"WEB-MISC long basic
authorization string";  flags:A+; content:"Authorization\: Basic "; nocase;
dsize:>1000; classtype:attempted-dos; reference:bugtraq,3230; sid:1260;
rev:3;)

I'll try to follow the template as much as possible, but not sure what
information i can provide, hopefully it helps

# This is a template for submitting snort signature descriptions to
# the snort.org website
#
# Ensure that your descriptions are your own
# and not the work of others.  References in the rules themselves
# should be used for linking to other's work.
#
# If you are unsure of some part of a rule, use that as a commentary
# and someone else perhaps will be able to fix it.
#
# $Id$
#
#

Rule:
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 80 (msg:"WEB-MISC long basic
authorization string";  flags:A+; content:"Authorization\: Basic "; nocase;
dsize:>1000; classtype:attempted-dos; reference:bugtraq,3230; sid:1260;
rev:3;)

--
Sid:
1260
--
Summary:
I am admin for an online game, this signature causes numerous alerts on my
web server, however, I do not know exactly what the client system may be
doing, there are only a few source IP's that cause this to occur, it does
not happen from all source IP's and i really dont think these particular
players are doing anything they shouldn't, it has come up with the alert on
my own connection to the game.
--
Impact:
large database of false alerts

--
Detailed Information:

--
Attack Scenarios:

--
Ease of Attack:

--
False Positives:
I am admin for an online game, this signature causes numerous alerts on my
web server, however, I do not know exactly what the client system may be
doing, there are only a few source IP's that cause this to occur, it does
not happen from all source IP's and i really dont think these particular
players are doing anything they shouldn't, it has come up with the alert on
my own connection to the game.
--
False Negatives:

--
Corrective Action:

--
Contributors:

--
Additional References:





More information about the Snort-sigs mailing list