[Snort-sigs] false positive: WEB-FRONTPAGE fourdots request
Hugo van der Kooij
hvdkooij at ...481...
Tue Oct 7 14:55:07 EDT 2003
On Tue, 7 Oct 2003, Nigel Houghton wrote:
> It is the browser identification string "Mozilla/4.0 (compatible; MSIE
> 4.0; Windows NT; ....../1.0 )" that appears causing the event to false.
> This is something that can be modified by the client and I don't ever
> remember seeing an id like that from a standard browser. I notice all the
> requests are coming from the same place, have you seen this happen from
> anywhere else?
> Name: tide158.microsoft.com
> Address: 220.127.116.11
All request come from .....
NetRange: 18.104.22.168 - 22.214.171.124
NetRange: 126.96.36.199 - 188.8.131.52
Sounds like something odd is going on with their MSN search bots.
I know I can turn the signature off but if there is a reasonable chance of
improving the rule based on false positives the benefit would be to all
the snort users.
All email sent to me is bound to the rules described on my homepage.
hvdkooij at ...481... http://hvdkooij.xs4all.nl/
Don't meddle in the affairs of sysadmins,
for they are subtle and quick to anger.
More information about the Snort-sigs