[Snort-sigs] SID 1882 False Posiitives : "ATTACK-RESPONSES id check returned userid "

SoloNet Newsfeed Processor newsfeed at ...1411...
Wed May 28 07:57:15 EDT 2003


in the recent rule updates, it seems that SID 1882 has now begun
generating false positives. It's search string "uid=" gets triggered on
long URLs, which was evidenced by a number (20K +) alerts we received this
morning.

alert ip $HOME_NET any -> $EXTERNAL_NET any (msg:"ATTACK-RESPONSES id
check returned userid"; content:"uid=";
byte_test:5,<,65537,0,relative,string; classtype:bad-unknown; sid:1882;
rev:4;)

I belive the byte test is incorrect, but I'm not sure how to fix it since
I'm not as knowledgeable about the exploit it's trying to pick up. ANybody
want to chime in on this?




More information about the Snort-sigs mailing list