[Snort-sigs] SID 1344

Nigel Houghton nigel at ...435...
Sat Aug 21 09:57:01 EDT 2004


On  0, James Ashton <james at ...2424...> allegedly wrote:
> I have been getting a lot of falses lately on SID:1344

And since the rule is looking for access to "cc" followed by a space, you
will continue to get events when your customers use URIs like

 http://www.turfcatering.com/hsc&cc menus.htm

Not sure what your best course of action might be here, stop using spaces
in URIs (my first choice), turn the rule off (You're using FreeBSD on the
server so there are many many things you can do to make sure you are not
affected by this issue) or create a pass rule maybe.

You're a hosting company right? So you'll already be running the websites
you host in a Jail correct? You'll be using securelevel and chflags to your
advantage too right? I would hope that no-one is able to access cc via a
URI on the hosted sites.

> Here is todays Pcap.
> 
> 
> 47 45 54 20 2F 69 6D 61 67 65 73 2F 68 73 5F 70 	GET /images/hs_p
> 68 6F 74 6F 5F 6E 69 67 68 74 6C 69 66 65 33 2E 	hoto_nightlife3.
> 6A 70 67 20 48 54 54 50 2F 31 2E 31 0D 0A 41 63 	jpg HTTP/1.1..Ac
> 63 65 70 74 3A 20 2A 2F 2A 0D 0A 52 65 66 65 72 	cept: */*..Refer
> 65 72 3A 20 68 74 74 70 3A 2F 2F 77 77 77 2E 74 	er: http://www.t
> 75 72 66 63 61 74 65 72 69 6E 67 2E 63 6F 6D 2F 	urfcatering.com/
> 68 73 63 25 32 36 63 63 25 32 30 6D 65 6E 75 73 	hsc%26cc%20menus
> 2E 68 74 6D 0D 0A 41 63 63 65 70 74 2D 4C 61 6E 	.htm..Accept-Lan
> 67 75 61 67 65 3A 20 65 6E 2D 75 73 0D 0A 41 63 	guage: en-us..Ac
> 63 65 70 74 2D 45 6E 63 6F 64 69 6E 67 3A 20 67 	cept-Encoding: g
> 7A 69 70 2C 20 64 65 66 6C 61 74 65 0D 0A 55 73 	zip, deflate..Us
> 65 72 2D 41 67 65 6E 74 3A 20 4D 6F 7A 69 6C 6C 	er-Agent: Mozill
> 61 2F 34 2E 30 20 28 63 6F 6D 70 61 74 69 62 6C 	a/4.0 (compatibl
> 65 3B 20 4D 53 49 45 20 36 2E 30 3B 20 57 69 6E 	e; MSIE 6.0; Win
> 64 6F 77 73 20 4E 54 20 35 2E 31 29 0D 0A 48 6F 	dows NT 5.1)..Ho
> 73 74 3A 20 77 77 77 2E 74 75 72 66 63 61 74 65 	st: www.turfcate
> 72 69 6E 67 2E 63 6F 6D 0D 0A 43 6F 6E 6E 65 63 	ring.com..Connec
> 74 69 6F 6E 3A 20 4B 65 65 70 2D 41 6C 69 76 65 	tion: Keep-Alive
> 0D 0A 0D 0A    
 
 
+-------------------------------------------------------------------------+
       Nigel Houghton       Research Engineer        Sourcefire Inc.
                       Vulnerability Research Team
                                                                         
  "Dude, dolphins are intelligent and friendly!" - Wendy
  "Intelligent and friendly on rye bread, with some mayonaise." - Cartman
+-------------------------------------------------------------------------+




More information about the Snort-sigs mailing list