[Snort-sigs] false positive: WEB-FRONTPAGE fourdots request
jstewart at ...5...
Wed Oct 8 05:59:09 EDT 2003
On Tuesday 07 October 2003 06:14 pm, Matt Kettler wrote:
> At 04:59 PM 10/7/2003, Hugo van der Kooij wrote:
> >alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS
> >(msg:"WEB-FRONTPAGE fourdots request"; flow:to_server,established;
> >content: "|2e 2e 2e 2e 2f|"; nocase; reference:bugtraq,989;
> >reference:cve,CAN-2000-0153; reference:arachnids,248;
> >classtype:web-application-attack; sid:966; rev:5;)
> <style rant>
> What's with the all these rules which consist entirely of ASCII text
> are written in hex format for no particularly good reason? What kind
> of drugs do you need to be on to think that "|2e 2e 2e 2e 2f|" is a
> better idea than "..../".
> Perhaps it's just copy-paste laziness from hex packet dumps, but it's
> really quite silly and makes the intent of the rule significantly
> harder to read IMO.
> I don't write my emails in |68 65 78| do I?
> </style rant>
There are times when writing the content in hex may be valid - if the
rule might possibly be triggered by content containing the rule itself.
For instance, when visiting a web archive of this mailing list- the way
the above rule is written would not cause a false positive, but the way
you would have it written might trigger an alert when reading the page
with the rule displayed, depending on how the user has configured
EXTERNAL_NET and HTTP_SERVERS.
Joe Stewart, GCIH
Senior Security Researcher
More information about the Snort-sigs