[Snort-sigs] SID 1042 and WebDAV

Jason Haar Jason.Haar at ...651...
Tue Apr 15 15:45:06 EDT 2003

On Tue, Apr 15, 2003 at 06:04:27PM -0400, Scott, Joshua wrote:
> I'm getting bombarded by alerts from SID 1042 - "WEB-IIS view source via
> translate header".  According to the info on Arachnids, false positives may
> I'd like to look into any possible alternatives before disabling the sig.
> Can anyone offer any insight?  Am I correct that Exchange/OWA/Outlook
> Express uses WebDAV?  How do other Exchange shops running Snort handle this
> sig?  Do most people leave this sig enabled?

1. Yes, OWA 2000 makes extensive use of WebDAV when talking to IE5 clients
2. The original rule is "$EXTERNAL_NET any -> $HTTP_SERVERS" - and yet
   you're saying your internal Exchange servers talking to each other trigger
   the alert. That implies you've configured Snort to treat even internal 
   traffic as "external" - yes? As such, you've pushed FP in general through
   the roof.
I tried to run snort with external==internal, and found that it triggered on
most internal traffic ;-) As DMZes tend to be more "fine-grained" in their
application installations, FPs are much less an issue with Internet-DMZ
monitoring. I think you should be more liberal with removing rules for
internal traffic. 

If you know you're never going to look at the results, there's no point in
monitoring it.

[let the flame war commence? ;-)]


Jason Haar
Information Security Manager, Trimble Navigation Ltd.
Phone: +64 3 9635 377 Fax: +64 3 9635 417
PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1

More information about the Snort-sigs mailing list