[Snort-sigs] false positive in SID 1147

Dan Thorson dan.thorson at ...2264...
Tue Feb 24 06:54:30 EST 2004


# This is a template for submitting snort signature descriptions to
# the snort.org website
#
# Ensure that your descriptions are your own
# and not the work of others.  References in the rules themselves
# should be used for linking to other's work. 
#
# If you are unsure of some part of a rule, use that as a commentary
# and someone else perhaps will be able to fix it.
# 
# $Id$
#
# 

Rule:  alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC cat%20 access"; flow:to_server,established; content:"cat%20"; nocase; reference:cve,CVE-1999-0039; reference:bugtraq,374; classtype:attempted-recon; sid:1147;  rev:5;)
--
Sid:  1147

--
Summary:
Report of false-positive
--
Impact:

--
Detailed Information:

--
Affected Systems:

--
Attack Scenarios:

--
Ease of Attack:

--
False Positives:matching on "cat%20" is too generic.Orig String...
GET /image/Panzaicat%20REV%202_Page_017.jpg HTTP/1.1
Accept: */*
Referer: http://www.panzai.com/
Accept-Language: en-us
Accept-Encoding: gzip, deflate
If-Modified-Since: Thu, 05 Feb 2004 21:13:33 GMT
If-None-Match: "34be3-5fbc-4022b1fd"
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; Hotbar 4.4.2.0; .NET CLR 1.0.3705)
Host: www.panzai.com
Connection: Keep-Alive

000 : 47 45 54 20 2F 69 6D 61 67 65 2F 50 61 6E 7A 61   GET /image/Panza
010 : 69 63 61 74 25 32 30 52 45 56 25 32 30 32 5F 50   icat%20REV%202_P
020 : 61 67 65 5F 30 31 37 2E 6A 70 67 20 48 54 54 50   age_017.jpg HTTP
030 : 2F 31 2E 31 0D 0A 41 63 63 65 70 74 3A 20 2A 2F   /1.1..Accept: */
040 : 2A 0D 0A 52 65 66 65 72 65 72 3A 20 68 74 74 70   *..Referer: http
050 : 3A 2F 2F 77 77 77 2E 70 61 6E 7A 61 69 2E 63 6F   ://www.panzai.co
060 : 6D 2F 0D 0A 41 63 63 65 70 74 2D 4C 61 6E 67 75   m/..Accept-Langu
070 : 61 67 65 3A 20 65 6E 2D 75 73 0D 0A 41 63 63 65   age: en-us..Acce
080 : 70 74 2D 45 6E 63 6F 64 69 6E 67 3A 20 67 7A 69   pt-Encoding: gzi
090 : 70 2C 20 64 65 66 6C 61 74 65 0D 0A 49 66 2D 4D   p, deflate..If-M
0a0 : 6F 64 69 66 69 65 64 2D 53 69 6E 63 65 3A 20 54   odified-Since: T
0b0 : 68 75 2C 20 30 35 20 46 65 62 20 32 30 30 34 20   hu, 05 Feb 2004 
0c0 : 32 31 3A 31 33 3A 33 33 20 47 4D 54 0D 0A 49 66   21:13:33 GMT..If
0d0 : 2D 4E 6F 6E 65 2D 4D 61 74 63 68 3A 20 22 33 34   -None-Match: "34
0e0 : 62 65 33 2D 35 66 62 63 2D 34 30 32 32 62 31 66   be3-5fbc-4022b1f
0f0 : 64 22 0D 0A 55 73 65 72 2D 41 67 65 6E 74 3A 20   d"..User-Agent: 
100 : 4D 6F 7A 69 6C 6C 61 2F 34 2E 30 20 28 63 6F 6D   Mozilla/4.0 (com
110 : 70 61 74 69 62 6C 65 3B 20 4D 53 49 45 20 36 2E   patible; MSIE 6.
120 : 30 3B 20 57 69 6E 64 6F 77 73 20 4E 54 20 35 2E   0; Windows NT 5.
130 : 31 3B 20 48 6F 74 62 61 72 20 34 2E 34 2E 32 2E   1; Hotbar 4.4.2.
140 : 30 3B 20 2E 4E 45 54 20 43 4C 52 20 31 2E 30 2E   0; .NET CLR 1.0.
150 : 33 37 30 35 29 0D 0A 48 6F 73 74 3A 20 77 77 77   3705)..Host: www
160 : 2E 70 61 6E 7A 61 69 2E 63 6F 6D 0D 0A 43 6F 6E   .panzai.com..Con
170 : 6E 65 63 74 69 6F 6E 3A 20 4B 65 65 70 2D 41 6C   nection: Keep-Al
180 : 69 76 65 0D 0A 0D 0A                              ive....


--
False Negatives:

--
Corrective Action:

--
Contributors:

-- 
Additional References:
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-sigs/attachments/20040224/dc81b071/attachment.html>


More information about the Snort-sigs mailing list