[Snort-sigs] SID 1042 false positives: WEB-IIS view source via translate header"

SoloNet Newsfeed newsfeed at ...1411...
Fri Jun 6 12:00:11 EDT 2003


Hi, me again! :-)

Anyhow, we're in the process of pretty well sytematically going through 
our multi-sensor IDS system and weeding out false positives. One of the 
more recent one's we've come across has been this rule:

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS 
view source via translate header"; flow:to_server,established; content: 
"Translate|3a| F"; nocase; reference:arachnids,305; 
reference:bugtraq,1578; classtype:web-application-activity; sid:1042;  
rev:6;)

Which has triggered on a few things (actually it helped us find a 
non-ssl based Outlook Web Access server, so oddly it helped a bit), but 
found there are false positivies being triggered offof WebDav traffic. I 
saw a post on comp.security.misc that mentioned the same type of false 
postives on WebDav traffic back on March 6, 2002 with no apparent 
response (maybe a post to snort-sigs woudl have helped.

Anyhow, the Arachnids DB shows that it's supposed t get triggered off of 
a "GET" and a "translate: f", but it seems the "GET" is removed from the 
published rule and is getting picked up on stuff like WebDav's PROPFIND, 
etc., which I think, if it's dual purposed, shoudl be split into another 
rule, for, of course, WebDav traffic. Does anybody want to take a look 
at this and populate a change back into the rule updates to cover the 
false positives?

David





More information about the Snort-sigs mailing list