[Snort-sigs] false positive: WEB-FRONTPAGE fourdots request

Hugo van der Kooij hvdkooij at ...481...
Tue Oct 7 14:55:07 EDT 2003


On Tue, 7 Oct 2003, Nigel Houghton wrote:

> It is the browser identification string "Mozilla/4.0 (compatible;  MSIE
> 4.0; Windows NT; ....../1.0 )" that appears causing the event to false.
> 
> This is something that can be modified by the client and I don't ever
> remember seeing an id like that from a standard browser. I notice all the
> requests are coming from the same place, have you seen this happen from
> anywhere else?
> 
> Name:   tide158.microsoft.com
> Address: 207.46.225.251

All request come from .....

NetRange:   131.107.0.0 - 131.107.255.255 
CIDR:       131.107.0.0/16 
NetName:    MICROSOFT

NetRange:   207.46.0.0 - 207.46.255.255 
CIDR:       207.46.0.0/16 
NetName:    MICROSOFT-GLOBAL-NET

Sounds like something odd is going on with their MSN search bots.

I know I can turn the signature off but if there is a reasonable chance of 
improving the rule based on false positives the benefit would be to all 
the snort users.

Hugo.

-- 
 All email sent to me is bound to the rules described on my homepage.
    hvdkooij at ...481...		http://hvdkooij.xs4all.nl/
	    Don't meddle in the affairs of sysadmins,
	    for they are subtle and quick to anger.





More information about the Snort-sigs mailing list