[Snort-sigs] False positives on 1618.14 (WEB-IIS .asp chunked Transfer-Encoding)

nnposter at ...592... nnposter at ...592...
Fri Jul 2 22:02:10 EDT 2004

Rule:  WEB-IIS .asp chunked Transfer-Encoding

Sid: 1618

False Positives:
Current version of the rule matches even if string "chunked" 
precedes the Transfer-Encoding header, such as being part of
the URL.

I am proposing to add "distance":

(msg:"WEB-IIS .asp chunked Transfer-Encoding"; 
flow:to_server,established; uricontent:".asp"; nocase; 
content:"Transfer-Encoding|3A|"; nocase; 
content:"chunked"; nocase; distance:0;
reference:bugtraq,4474; reference:bugtraq,4485; 
reference:cve,2002-0071; reference:cve,2002-0079; 
classtype:web-application-attack; sid:1618; rev:15;)

Alternatively this could be resolved by converting to PCRE.

More information about the Snort-sigs mailing list