[Snort-sigs] SID 1042 false positives: WEB-IIS view source via translate header
bmc at ...95...
Fri Dec 5 07:43:01 EST 2003
On Thu, Dec 04, 2003 at 03:57:57PM -0600, Bradberry, John wrote:
>  Change content keyword to uricontent: this change allows the
> HTTP decoder to normalize the search strings.
No, "Translate: F" is not in the URL. It in the header portion of the
>  Search for "GET". I don't think this exploit can be
> successfully used with any other method? Virtually all the false
> positives I've reviewed contain either the OPTIONS method or a webDAV
> method like PROPFIND.
You can't be sure that you are going to see a "GET" in the same packet,
which is why we don't search for it.
More information about the Snort-sigs