[Snort-sigs] false positive: WEB-FRONTPAGE fourdots request

Joe Stewart jstewart at ...5...
Wed Oct 8 05:59:09 EDT 2003


On Tuesday 07 October 2003 06:14 pm, Matt Kettler wrote:
> At 04:59 PM 10/7/2003, Hugo van der Kooij wrote:
> >alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS
> >(msg:"WEB-FRONTPAGE fourdots request"; flow:to_server,established;
> >content: "|2e 2e 2e 2e 2f|"; nocase; reference:bugtraq,989;
> >reference:cve,CAN-2000-0153; reference:arachnids,248;
> >classtype:web-application-attack; sid:966;  rev:5;)
>
> <style rant>
>
> What's with the all these rules which consist entirely of ASCII text 
> are written in hex format for no particularly good reason? What kind
> of drugs do you need to be on to think that "|2e 2e 2e 2e 2f|" is a
> better idea than "..../".
>
> Perhaps it's just copy-paste laziness from hex packet dumps, but it's
> really quite silly and makes the intent of the rule significantly
> harder to read IMO.
>
> I don't write my emails in |68 65 78| do I?
>
> </style rant>

There are times when writing the content in hex may be valid - if the 
rule might possibly be triggered by content containing the rule itself.
For instance, when visiting a web archive of this mailing list- the way
the above rule is written would not cause a false positive, but the way 
you would have it written might trigger an alert when reading the page 
with the rule displayed, depending on how the user has configured
EXTERNAL_NET and HTTP_SERVERS.

-Joe

--
Joe Stewart, GCIH 
Senior Security Researcher
LURHQ Corporation
http://www.lurhq.com/





More information about the Snort-sigs mailing list