[Snort-sigs] Suggestions for new attack response rules

Brian caswell bmc at ...95...
Sat Dec 4 11:55:00 EST 2004


On Dec 3, 2004, at 4:36 PM, Jason wrote:
> assuming the 200 OK response is the only possible response and that 
> the request is not pipelined or chained on some other way like at the 
> end of a keep-alive session...
>
> http://www.mozilla.org/projects/netlib/http/pipelining-faq.html

Not that you will here this very often, but I 100% agree with Jason.  
This isn't a matter of performance.  This is a matter of right and 
wrong.

Not only will you get a ton of false negatives, you can get a ton of 
false positive "you got owned" alerts.  It would be rather trivial to 
convert a simple CGI scan into a "Oh god, the world is falling" 
generator.

Let me reiterate, the idea is a nice one.  However, in practice, its 
not as simple as adding a few flowbits.

Brian





More information about the Snort-sigs mailing list