[Snort-sigs] false positive: WEB-FRONTPAGE fourdots request

Hugo van der Kooij hvdkooij at ...481...
Tue Oct 7 14:00:03 EDT 2003


Many false positives reprted on the rule "WEB-FRONTPAGE fourdots request".

Report:

Oct  7 22:43:08 gandalf snort: [1:966:5] WEB-FRONTPAGE fourdots request 
[Classification: Web Application Attack] [Priority: 1]: {TCP} 
207.46.225.251:27800 -> 192.168.1.2:80
Oct  7 22:49:03 gandalf snort: [1:966:5] WEB-FRONTPAGE fourdots request 
[Classification: Web Application Attack] [Priority: 1]: {TCP} 
207.46.225.251:31359 -> 192.168.1.2:80
Oct  7 22:51:14 gandalf snort: [1:966:5] WEB-FRONTPAGE fourdots request 
[Classification: Web Application Attack] [Priority: 1]: {TCP} 
207.46.225.251:33577 -> 192.168.1.2:8

Actual log from webserver:

207.46.225.251 - - [07/Oct/2003:22:43:08 +0200] "GET 
/software/mplayer-skin-plastic-1.1.1-2.noarch.html HTTP/1.0" 200 4252 "-" 
"Mozilla/4.0 (compatible; MSIE 4.0; Windows NT; ....../1.0 )"
207.46.225.251 - - [07/Oct/2003:22:49:03 +0200] "GET 
/software/mplayer-skin-Blue-1.0-2.noarch.html HTTP/1.0" 200 5509 "-" 
"Mozilla/4.0 (compatible; MSIE 4.0; Windows NT; ....../1.0 )"
207.46.225.251 - - [07/Oct/2003:22:51:14 +0200] "GET 
/software/mplayer-skin-CornerMP-1.0-2.noarch.html HTTP/1.0" 200 4368 "-" 
"Mozilla/4.0 (compatible; MSIE 4.0; Windows NT; ....../1.0 )"

Rule:

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS 
(msg:"WEB-FRONTPAGE fourdots request"; flow:to_server,established; 
content: "|2e 2e 2e 2e 2f|"; nocase; reference:bugtraq,989; 
reference:cve,CAN-2000-0153; reference:arachnids,248; 
classtype:web-application-attack; sid:966;  rev:5;)

I guess his rule could be improved. Perhaps someone smarter then me can 
take a shot at it?

Hugo.

-- 
 All email sent to me is bound to the rules described on my homepage.
    hvdkooij at ...481...		http://hvdkooij.xs4all.nl/
	    Don't meddle in the affairs of sysadmins,
	    for they are subtle and quick to anger.





More information about the Snort-sigs mailing list