[Snort-sigs] SID 1042 false positives: WEB-IIS view source via translate header"
newsfeed at ...1411...
Fri Jun 6 12:00:11 EDT 2003
Hi, me again! :-)
Anyhow, we're in the process of pretty well sytematically going through
our multi-sensor IDS system and weeding out false positives. One of the
more recent one's we've come across has been this rule:
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS
view source via translate header"; flow:to_server,established; content:
"Translate|3a| F"; nocase; reference:arachnids,305;
reference:bugtraq,1578; classtype:web-application-activity; sid:1042;
Which has triggered on a few things (actually it helped us find a
non-ssl based Outlook Web Access server, so oddly it helped a bit), but
found there are false positivies being triggered offof WebDav traffic. I
saw a post on comp.security.misc that mentioned the same type of false
postives on WebDav traffic back on March 6, 2002 with no apparent
response (maybe a post to snort-sigs woudl have helped.
Anyhow, the Arachnids DB shows that it's supposed t get triggered off of
a "GET" and a "translate: f", but it seems the "GET" is removed from the
published rule and is getting picked up on stuff like WebDav's PROPFIND,
etc., which I think, if it's dual purposed, shoudl be split into another
rule, for, of course, WebDav traffic. Does anybody want to take a look
at this and populate a change back into the rule updates to cover the
More information about the Snort-sigs