[Snort-sigs] False positives WEB-CGI calendar access

Hugo van der Kooij hvdkooij at ...481...
Mon Sep 29 01:00:04 EDT 2003


I noticed false positives in my logs:

Sep 28 12:41:19 gandalf snort: [1:882:4] WEB-CGI calendar access 
[Classification: Attempted Information Leak] [Priority: 2]: {TCP} 
80.56.139.164:3880 -> 192.168.1.2:80

Due to the request:

80.56.139.164 - - [28/Sep/2003:12:41:19 +0200] "GET /extras/calendar.html 
HTTP/1.1" 200 12451 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 
5.1)"


This request is however a perfectly valid WebGUI request.

The signature:

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI 
calendar access";flow:to_server,established; uricontent:"/calendar"; 
nocase; classtype:attempted-recon; sid:882;  rev:4;)

I have not yet figured out a better signature. (If anyone can please share 
your views.)

Hugo.

-- 
 All email sent to me is bound to the rules described on my homepage.
    hvdkooij at ...481...		http://hvdkooij.xs4all.nl/
	    Don't meddle in the affairs of sysadmins,
	    for they are subtle and quick to anger.






More information about the Snort-sigs mailing list