[Snort-sigs] False positives WEB-CGI calendar access

Hugo van der Kooij hvdkooij at ...481...
Mon Sep 29 01:00:04 EDT 2003

I noticed false positives in my logs:

Sep 28 12:41:19 gandalf snort: [1:882:4] WEB-CGI calendar access 
[Classification: Attempted Information Leak] [Priority: 2]: {TCP} ->

Due to the request: - - [28/Sep/2003:12:41:19 +0200] "GET /extras/calendar.html 
HTTP/1.1" 200 12451 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 

This request is however a perfectly valid WebGUI request.

The signature:

calendar access";flow:to_server,established; uricontent:"/calendar"; 
nocase; classtype:attempted-recon; sid:882;  rev:4;)

I have not yet figured out a better signature. (If anyone can please share 
your views.)


 All email sent to me is bound to the rules described on my homepage.
    hvdkooij at ...481...		http://hvdkooij.xs4all.nl/
	    Don't meddle in the affairs of sysadmins,
	    for they are subtle and quick to anger.

More information about the Snort-sigs mailing list