[Snort-sigs] false positive: WEB-FRONTPAGE fourdots request

Hugo van der Kooij hvdkooij at ...481...
Tue Oct 7 14:55:07 EDT 2003

On Tue, 7 Oct 2003, Nigel Houghton wrote:

> It is the browser identification string "Mozilla/4.0 (compatible;  MSIE
> 4.0; Windows NT; ....../1.0 )" that appears causing the event to false.
> This is something that can be modified by the client and I don't ever
> remember seeing an id like that from a standard browser. I notice all the
> requests are coming from the same place, have you seen this happen from
> anywhere else?
> Name:   tide158.microsoft.com
> Address:

All request come from .....

NetRange: - 

NetRange: - 

Sounds like something odd is going on with their MSN search bots.

I know I can turn the signature off but if there is a reasonable chance of 
improving the rule based on false positives the benefit would be to all 
the snort users.


 All email sent to me is bound to the rules described on my homepage.
    hvdkooij at ...481...		http://hvdkooij.xs4all.nl/
	    Don't meddle in the affairs of sysadmins,
	    for they are subtle and quick to anger.

More information about the Snort-sigs mailing list