[Snort-sigs] SID 1882 False Posiitives : "ATTACK-RESPONSES id check returned userid "

SoloNet Newsfeed newsfeed at ...1411...
Fri Jun 6 12:37:15 EDT 2003


Looks like this may have solved the issue... good work, however, I'm 
going to let this churn over the weekend to see if we have any new 
incidents like the previous again...and I'll chime in again on Monday 
with the results.

Brian wrote:

>On Wed, Jun 04, 2003 at 10:53:53AM -0400, SoloNet Newsfeed wrote:
>  
>
>>Actually, the fix is still triggering false positives on webmail programs:
>>
>>http://mail.someplaceelse.com/wm/mail/read.html?sessionid=4074abfd6118ac6e379ff6527e923009&uid=189&msgid=15&mbox=user.duh.
>>
>>since the signature (even on the new replacement signature) here is 
>>looking for both UID and GID in the content, it's getting mussed up on 
>>MSGID (or message ID)
>>
>>alert ip $HOME_NET any -> $EXTERNAL_NET any (msg:"ATTACK-RESPONSES id check 
>>returned userid"; content:"uid="; byte_test:5,<,65537,0,relative,string; 
>>content:"gid="; distance:1; within:15; 
>>byte_test:5,<,65537,0,relative,string; classtype:bad-unknown; sid:1882; 
>>rev:7;)
>>    
>>
>
>Can you try:
>
>alert ip $HOME_NET any -> $EXTERNAL_NET any (msg:"ATTACK-RESPONSES id check returned userid"; content:"uid="; byte_test:5,<,65537,0,relative,string; content:" gid="; distance:0; byte_test:5,<,65537,0,relative,string;classtype:bad-unknown;)
>
>NOTE, this will STILL alert on SMTP traffic talking about exploits.
>
>-brian
>
>
>  
>



More information about the Snort-sigs mailing list