[Snort-sigs] Sid 1042 - too many FPs

Schmehl, Paul L pauls at ...1311...
Thu Feb 27 19:19:08 EST 2003

More questions about rules......

In web-iis.rules:

view source via translate header"; flow:to_server,established; content:
"Translate|3a| F"; nocase; reference:arachnids,305;
reference:bugtraq,1578; classtype:web-application-activity; sid:1042;

This looks for "Translate: F", but the bugtraq explanation (bid 1578)
states as follows:
"It is possible to force the server to send back the source of known
scriptable files to the client if the HTTP GET request contains a
specialized header with 'Translate: f' at the end of it, and if a
trailing slash '/' is appended to the end of the URL."

Shouldn't the content portion of this rule at least include the trailing
slash?  I'm getting FPs on a Solaris/Apache server (running webct) that
is used heavily on our campus.

I would think something like this might be better:
content: "Translate|3a| F"; nocase; uricontent:"/"; within: 512;

Or at least this:
content: "Translate|3a| F"; nocase; content: "/"; although this would
probably lead to false positives as well, just less of them

or perhaps this:
content: "Translate|3a| F"; nocase; content: "Host|3a| "; nocase;
content: "/"; within: 512;

Here's a payload (Just the human readable part).  It clearly triggers
this alert, but does *not* meet the criteria for an alert per the
bugtraq explanation:

OPTIONS / HTTP/1.1..translate: f..User-Agent: 
Webct.utdallas.edu..Authorization: Basic 0g==..
Connection: Keep-Alive..Content-Length:0....

For now I'm going to have to disable this alert.

I also wonder if any thought has been given to creating a var
"IIS_SERVERS" so that the IIS alerts could at least be limited to
potentially vulnerable servers instead of every web server you have?
(We have *many* campus wide, many of which are Apache, not IIS.)

Paul Schmehl (pauls at ...1311...)
Adjunct Information Security Officer
The University of Texas at Dallas
AVIEN Founding Member

More information about the Snort-sigs mailing list