[Snort-sigs] SID 1042 false positives: WEB-IIS view source via translate header

Brian bmc at ...95...
Fri Dec 5 07:43:01 EST 2003


On Thu, Dec 04, 2003 at 03:57:57PM -0600, Bradberry, John wrote:
> [1]	Change content keyword to uricontent: this change allows the
> HTTP decoder to normalize the search strings.

No, "Translate: F" is not in the URL.  It in the header portion of the
request.

> [2]	Search for "GET".  I don't think this exploit can be
> successfully used with any other method?  Virtually all the false
> positives I've reviewed contain either the OPTIONS method or a webDAV
> method like PROPFIND.

You can't be sure that you are going to see a "GET" in the same packet,
which is why we don't search for it.

-brian




More information about the Snort-sigs mailing list