[Snort-sigs] SID 1344

James Ashton james at ...2424...
Sat Aug 21 11:50:00 EDT 2004


I wasn't so much thinking of my application. I'm not to worried about
this happening. I was more concerned with improving the sig. This is a
pretty broad sig and the definition is listed as "no false positives
known". I have thousands of URLs here that trip it. 

-----Original Message-----
From: snort-sigs-admin at lists.sourceforge.net
[mailto:snort-sigs-admin at lists.sourceforge.net] On Behalf Of Nigel
Houghton
Sent: Saturday, August 21, 2004 12:56 PM
To: snort-sigs at lists.sourceforge.net
Subject: Re: [Snort-sigs] SID 1344

On  0, James Ashton <james at ...2424...> allegedly wrote:
> I have been getting a lot of falses lately on SID:1344

And since the rule is looking for access to "cc" followed by a space,
you
will continue to get events when your customers use URIs like

 http://www.turfcatering.com/hsc&cc menus.htm

Not sure what your best course of action might be here, stop using
spaces
in URIs (my first choice), turn the rule off (You're using FreeBSD on
the
server so there are many many things you can do to make sure you are not
affected by this issue) or create a pass rule maybe.

You're a hosting company right? So you'll already be running the
websites
you host in a Jail correct? You'll be using securelevel and chflags to
your
advantage too right? I would hope that no-one is able to access cc via a
URI on the hosted sites.

> Here is todays Pcap.
> 
> 
> 47 45 54 20 2F 69 6D 61 67 65 73 2F 68 73 5F 70 	GET /images/hs_p
> 68 6F 74 6F 5F 6E 69 67 68 74 6C 69 66 65 33 2E 	hoto_nightlife3.
> 6A 70 67 20 48 54 54 50 2F 31 2E 31 0D 0A 41 63 	jpg HTTP/1.1..Ac
> 63 65 70 74 3A 20 2A 2F 2A 0D 0A 52 65 66 65 72 	cept: */*..Refer
> 65 72 3A 20 68 74 74 70 3A 2F 2F 77 77 77 2E 74 	er: http://www.t
> 75 72 66 63 61 74 65 72 69 6E 67 2E 63 6F 6D 2F 	urfcatering.com/
> 68 73 63 25 32 36 63 63 25 32 30 6D 65 6E 75 73 	hsc%26cc%20menus
> 2E 68 74 6D 0D 0A 41 63 63 65 70 74 2D 4C 61 6E 	.htm..Accept-Lan
> 67 75 61 67 65 3A 20 65 6E 2D 75 73 0D 0A 41 63 	guage: en-us..Ac
> 63 65 70 74 2D 45 6E 63 6F 64 69 6E 67 3A 20 67 	cept-Encoding: g
> 7A 69 70 2C 20 64 65 66 6C 61 74 65 0D 0A 55 73 	zip, deflate..Us
> 65 72 2D 41 67 65 6E 74 3A 20 4D 6F 7A 69 6C 6C 	er-Agent: Mozill
> 61 2F 34 2E 30 20 28 63 6F 6D 70 61 74 69 62 6C 	a/4.0 (compatibl
> 65 3B 20 4D 53 49 45 20 36 2E 30 3B 20 57 69 6E 	e; MSIE 6.0; Win
> 64 6F 77 73 20 4E 54 20 35 2E 31 29 0D 0A 48 6F 	dows NT 5.1)..Ho
> 73 74 3A 20 77 77 77 2E 74 75 72 66 63 61 74 65 	st: www.turfcate
> 72 69 6E 67 2E 63 6F 6D 0D 0A 43 6F 6E 6E 65 63 	ring.com..Connec
> 74 69 6F 6E 3A 20 4B 65 65 70 2D 41 6C 69 76 65 	tion: Keep-Alive
> 0D 0A 0D 0A    
 
 
+-----------------------------------------------------------------------
--+
       Nigel Houghton       Research Engineer        Sourcefire Inc.
                       Vulnerability Research Team
 

  "Dude, dolphins are intelligent and friendly!" - Wendy
  "Intelligent and friendly on rye bread, with some mayonaise." -
Cartman
+-----------------------------------------------------------------------
--+


-------------------------------------------------------
SF.Net email is sponsored by Shop4tech.com-Lowest price on Blank Media
100pk Sonic DVD-R 4x for only $29 -100pk Sonic DVD+R for only $33
Save 50% off Retail on Ink & Toner - Free Shipping and Free Gift.
http://www.shop4tech.com/z/Inkjet_Cartridges/9_108_r285
_______________________________________________
Snort-sigs mailing list
Snort-sigs at lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/snort-sigs




More information about the Snort-sigs mailing list