[Snort-sigs] SID 1042 false positives: WEB-IIS view source via translate header"

Brian bmc at ...95...
Sat Jun 7 16:44:03 EDT 2003


On Fri, Jun 06, 2003 at 02:59:03PM -0400, SoloNet Newsfeed wrote:
> Anyhow, the Arachnids DB shows that it's supposed t get triggered off of 
> a "GET" and a "translate: f", but it seems the "GET" is removed from the 
> published rule and is getting picked up on stuff like WebDav's PROPFIND, 
> etc., which I think, if it's dual purposed, shoudl be split into another 
> rule, for, of course, WebDav traffic. Does anybody want to take a look 
> at this and populate a change back into the rule updates to cover the 
> false positives?

Nope.  If you don't use webdav, then this rule is fine.  I removed the
GET on purpose.  Often, the METHOD isn't in the same packet.

-brian




More information about the Snort-sigs mailing list