[Snort-sigs] SID 1042 false positives: WEB-IIS view source via translate header"
bmc at ...95...
Sat Jun 7 16:44:03 EDT 2003
On Fri, Jun 06, 2003 at 02:59:03PM -0400, SoloNet Newsfeed wrote:
> Anyhow, the Arachnids DB shows that it's supposed t get triggered off of
> a "GET" and a "translate: f", but it seems the "GET" is removed from the
> published rule and is getting picked up on stuff like WebDav's PROPFIND,
> etc., which I think, if it's dual purposed, shoudl be split into another
> rule, for, of course, WebDav traffic. Does anybody want to take a look
> at this and populate a change back into the rule updates to cover the
> false positives?
Nope. If you don't use webdav, then this rule is fine. I removed the
GET on purpose. Often, the METHOD isn't in the same packet.
More information about the Snort-sigs