[Snort-sigs] Sid 1042 - too many FPs

Schmehl, Paul L pauls at ...1311...
Thu Feb 27 19:19:08 EST 2003


More questions about rules......

In web-iis.rules:

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS
view source via translate header"; flow:to_server,established; content:
"Translate|3a| F"; nocase; reference:arachnids,305;
reference:bugtraq,1578; classtype:web-application-activity; sid:1042;
rev:6;)

This looks for "Translate: F", but the bugtraq explanation (bid 1578)
states as follows:
"It is possible to force the server to send back the source of known
scriptable files to the client if the HTTP GET request contains a
specialized header with 'Translate: f' at the end of it, and if a
trailing slash '/' is appended to the end of the URL."

Shouldn't the content portion of this rule at least include the trailing
slash?  I'm getting FPs on a Solaris/Apache server (running webct) that
is used heavily on our campus.

I would think something like this might be better:
content: "Translate|3a| F"; nocase; uricontent:"/"; within: 512;

Or at least this:
content: "Translate|3a| F"; nocase; content: "/"; although this would
probably lead to false positives as well, just less of them

or perhaps this:
content: "Translate|3a| F"; nocase; content: "Host|3a| "; nocase;
content: "/"; within: 512;

Here's a payload (Just the human readable part).  It clearly triggers
this alert, but does *not* meet the criteria for an alert per the
bugtraq explanation:

OPTIONS / HTTP/1.1..translate: f..User-Agent: 
Microsoft-WebDAV-MiniRedir/5.1.2600..Host: 
Webct.utdallas.edu..Authorization: Basic 0g==..
Connection: Keep-Alive..Content-Length:0....

For now I'm going to have to disable this alert.

I also wonder if any thought has been given to creating a var
"IIS_SERVERS" so that the IIS alerts could at least be limited to
potentially vulnerable servers instead of every web server you have?
(We have *many* campus wide, many of which are Apache, not IIS.)

Paul Schmehl (pauls at ...1311...)
Adjunct Information Security Officer
The University of Texas at Dallas
AVIEN Founding Member
http://www.utdallas.edu/~pauls/





More information about the Snort-sigs mailing list