[Snort-sigs] SID 1042 false positives: WEB-IIS view source via translate header
BradberryJ at ...2056...
Fri Dec 5 07:17:03 EST 2003
SID 1042 "WEB-IIS view source via translate header" generates many false
positive events on our networks. Clients interacting with WebDAV
enabled servers are the usual suspects.
I've attached a revised rule and would appreciate comments for
additional improvement. Revisions include:
 Change content keyword to uricontent: this change allows the
HTTP decoder to normalize the search strings.
 Search for "GET". I don't think this exploit can be
successfully used with any other method? Virtually all the false
positives I've reviewed contain either the OPTIONS method or a webDAV
method like PROPFIND.
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS
view source via translate header"; flow:to_server, established;
uricontent: "GET"; uricontent: "translate|3a| F"; nocase;
classtype:web-application-activity; sid:1042; rev:7;)
The Greentree Group
More information about the Snort-sigs