[Snort-sigs] False +ves with sid 1882 with possible fix

Russell Fulton r.fulton at ...575...
Tue Jun 10 01:46:03 EDT 2003


Could we add a "flow from_server" to this rule without compromising its
intention?

alert ip $HOME_NET any -> $EXTERNAL_NET any (msg:"ATTACK-RESPONSES id
check returned userid"; content:"uid=";
byte_test:5,<,65537,0,relative,string; content:"gid="; distance:1;
within:15; byte_test:5,<,65537,0,relative,string; classtype:bad-unknown;
sid:1882; rev:7;)


I've just got 100s of hits on this matching a url:

000 : 47 45 54 20 2F 67 61 6C 6C 65 72 79 2F 76 69 65   GET /gallery/vie
010 : 77 3F 26 70 3D 33 26 75 69 64 3D 31 31 38 30 39   w?&p=3&uid=11809
020 : 36 33 26 67 69 64 3D 32 32 33 34 33 33 33 26 26   63&gid=2234333&&
030 : 69 6D 67 69 64 3D 32 36 39 39 38 32 38 32 20 48   imgid=26998282 H
040 : 54 54 50 2F 31 2E 31 0D 0A 41 63 63 65 70 74 3A   TTP/1.1..Accept:


-- 
Russell Fulton, Network Security Officer, The University of Auckland,
New Zealand.





More information about the Snort-sigs mailing list