[Snort-sigs] SID 1882 False Posiitives : "ATTACK-RESPONSES id check returned userid "

Brian bmc at ...95...
Wed Jun 4 19:01:04 EDT 2003


On Wed, Jun 04, 2003 at 10:53:53AM -0400, SoloNet Newsfeed wrote:
> Actually, the fix is still triggering false positives on webmail programs:
> 
> http://mail.someplaceelse.com/wm/mail/read.html?sessionid=4074abfd6118ac6e379ff6527e923009&uid=189&msgid=15&mbox=user.duh.
> 
> since the signature (even on the new replacement signature) here is 
> looking for both UID and GID in the content, it's getting mussed up on 
> MSGID (or message ID)
> 
> alert ip $HOME_NET any -> $EXTERNAL_NET any (msg:"ATTACK-RESPONSES id check 
> returned userid"; content:"uid="; byte_test:5,<,65537,0,relative,string; 
> content:"gid="; distance:1; within:15; 
> byte_test:5,<,65537,0,relative,string; classtype:bad-unknown; sid:1882; 
> rev:7;)

Can you try:

alert ip $HOME_NET any -> $EXTERNAL_NET any (msg:"ATTACK-RESPONSES id check returned userid"; content:"uid="; byte_test:5,<,65537,0,relative,string; content:" gid="; distance:0; byte_test:5,<,65537,0,relative,string;classtype:bad-unknown;)

NOTE, this will STILL alert on SMTP traffic talking about exploits.

-brian




More information about the Snort-sigs mailing list