[Snort-sigs] SID 1042 false positives: WEB-IIS view source via translate header

Bradberry, John BradberryJ at ...2056...
Fri Dec 5 07:17:03 EST 2003


Hello:

SID 1042 "WEB-IIS view source via translate header" generates many false
positive events on our networks.  Clients interacting with WebDAV
enabled servers are the usual suspects.

I've attached a revised rule and would appreciate comments for
additional improvement.  Revisions include:

[1]	Change content keyword to uricontent: this change allows the
HTTP decoder to normalize the search strings.

[2]	Search for "GET".  I don't think this exploit can be
successfully used with any other method?  Virtually all the false
positives I've reviewed contain either the OPTIONS method or a webDAV
method like PROPFIND.

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS
view source via translate header"; flow:to_server, established;
uricontent: "GET"; uricontent: "translate|3a| F"; nocase;
reference:arachnids,305; reference:bugtraq,1578;
classtype:web-application-activity; sid:1042;  rev:7;)

John Bradberry
The Greentree Group





More information about the Snort-sigs mailing list