[Snort-sigs] SID 1042 and WebDAV
Jason.Haar at ...651...
Tue Apr 15 15:45:06 EDT 2003
On Tue, Apr 15, 2003 at 06:04:27PM -0400, Scott, Joshua wrote:
> I'm getting bombarded by alerts from SID 1042 - "WEB-IIS view source via
> translate header". According to the info on Arachnids, false positives may
> I'd like to look into any possible alternatives before disabling the sig.
> Can anyone offer any insight? Am I correct that Exchange/OWA/Outlook
> Express uses WebDAV? How do other Exchange shops running Snort handle this
> sig? Do most people leave this sig enabled?
1. Yes, OWA 2000 makes extensive use of WebDAV when talking to IE5 clients
2. The original rule is "$EXTERNAL_NET any -> $HTTP_SERVERS" - and yet
you're saying your internal Exchange servers talking to each other trigger
the alert. That implies you've configured Snort to treat even internal
traffic as "external" - yes? As such, you've pushed FP in general through
I tried to run snort with external==internal, and found that it triggered on
most internal traffic ;-) As DMZes tend to be more "fine-grained" in their
application installations, FPs are much less an issue with Internet-DMZ
monitoring. I think you should be more liberal with removing rules for
If you know you're never going to look at the results, there's no point in
[let the flame war commence? ;-)]
Information Security Manager, Trimble Navigation Ltd.
Phone: +64 3 9635 377 Fax: +64 3 9635 417
PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1
More information about the Snort-sigs