[Snort-sigs] false positive: WEB-FRONTPAGE fourdots request

Joe Stewart jstewart at ...5...
Wed Oct 8 05:59:09 EDT 2003

On Tuesday 07 October 2003 06:14 pm, Matt Kettler wrote:
> At 04:59 PM 10/7/2003, Hugo van der Kooij wrote:
> >(msg:"WEB-FRONTPAGE fourdots request"; flow:to_server,established;
> >content: "|2e 2e 2e 2e 2f|"; nocase; reference:bugtraq,989;
> >reference:cve,CAN-2000-0153; reference:arachnids,248;
> >classtype:web-application-attack; sid:966;  rev:5;)
> <style rant>
> What's with the all these rules which consist entirely of ASCII text 
> are written in hex format for no particularly good reason? What kind
> of drugs do you need to be on to think that "|2e 2e 2e 2e 2f|" is a
> better idea than "..../".
> Perhaps it's just copy-paste laziness from hex packet dumps, but it's
> really quite silly and makes the intent of the rule significantly
> harder to read IMO.
> I don't write my emails in |68 65 78| do I?
> </style rant>

There are times when writing the content in hex may be valid - if the 
rule might possibly be triggered by content containing the rule itself.
For instance, when visiting a web archive of this mailing list- the way
the above rule is written would not cause a false positive, but the way 
you would have it written might trigger an alert when reading the page 
with the rule displayed, depending on how the user has configured


Joe Stewart, GCIH 
Senior Security Researcher
LURHQ Corporation

More information about the Snort-sigs mailing list