[Snort-sigs] details about a sid

Yaakov Yehudi yehudi at ...1252...
Mon Feb 10 02:43:05 EST 2003

Hi Rodrigo (and others),

This rule is one which frequently give false-positive results.

Below you will see I have copied a couple of messages.  They are a dialog 
between myself and the very helpful Jason Harr, which discusses this problem.

Date: Thu, 7 Nov 2002 13:16:02 +1300
From: Jason Haar <Jason.Haar at ...651...>
To: snort-users at lists.sourceforge.net
Subject: Re: [Snort-users] WebDAV
Organization: Trimble Navigation New Zealand Ltd.

On Wed, Nov 06, 2002 at 10:42:19AM +0200, Yaakov Yehudi wrote:
 > Can anyone tell me if the WebDAV file lock alert can be triggered by
 > anything other than an intentional attempt to lock a file for editing etc.

Yup. Happens all the time.

It has been the cause of no-end of helpdesk reports to our IS staff over the

As usual it's to do with M$ IE talking to Web servers. Due to "integration"
between IE and M$ Office, IE tends to change how it talks to Web servers
when it:

a> notices the URL you are downloading is an M$ Office doc
b> time of the month

At that stage, IE decides to see if it can *EDIT* the document from afar. It
will try an assortment of methods, including FrontPage (see: sid:968,1288
and the other 30+ alerts) and WebDAV. It tries to lock the file to see if
WebDAV is supported. Typically this fails, at which stage IE fails-back to
standard behaviour (good), or gives some damn weird error to the user (hense
the calls to our IS helpdesk.)

Microsoft: need I say more?


Jason Haar
Information Security Manager, Trimble Navigation Ltd.
Phone: +64 3 9635 377 Fax: +64 3 9635 417
PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1

Date: Sun, 10 Nov 2002 15:21:29 +0200
To: snort-users at lists.sourceforge.net
From: Yaakov Yehudi <yehudi at ...1252...>
Cc: Jason.Haar at ...651...
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"; format=flowed
Subject: [Snort-users] WebDAV

Thanks for your reply Jason.

I found that IE 5 & 6 don't seem to cause MS Office to start up, they just 
display the content in the browser.  However earlier versions of IE, 
Netscape, and probably some other browsers, do cause the document to open 
in Office.

Best Regards, Yaakov

At  Friday  07/02/2003  12:39, Rodrigo Buarque Ramos wrote:
>Can you help me with some information about it the
>SID1288  WEB-FRONTPAGE /_vti_bin/ access ?
>Best regards,
>Rodrigo Ramos

More information about the Snort-sigs mailing list