[Snort-sigs] False positives WEB-CGI calendar access

Johnathan Norman jnorman at ...1256...
Mon Sep 29 23:47:04 EDT 2003


Well this rule , as with many of the "access" rules is way to vague. The
rule should be changed to check for calendar_admin.pl which is the perl
script that the rule is worried about.

Johnathan Norman, SCNA,CCSP,ISSP,GCIA
Network Security Analyst
Alert Logic, Inc.
Office: 713-484-8383

On Mon, 29 Sep 2003, Daniel de Young wrote:

> On Sun, 2003-09-28 at 22:11, Hugo van der Kooij wrote:
>
> > The signature:
> >
> > alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI
> > calendar access";flow:to_server,established; uricontent:"/calendar";
> > nocase; classtype:attempted-recon; sid:882;  rev:4;)
> >
> > I have not yet figured out a better signature. (If anyone can please share
> > your views.)
>
> This rule doesn't seem to be very useful on your network...
>
> If a request to "calender.html" from outside is valid activity, I'd just
> comment out the rule.
>
> Am I missing something?
>
> -Daniel
>
>
>
> -------------------------------------------------------
> This sf.net email is sponsored by:ThinkGeek
> Welcome to geek heaven.
> http://thinkgeek.com/sf
> _______________________________________________
> Snort-sigs mailing list
> Snort-sigs at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/snort-sigs
>




More information about the Snort-sigs mailing list