[Snort-sigs] False positives on 1618.14 (WEB-IIS .asp chunked Transfer-Encoding)

nnposter at ...592... nnposter at ...592...
Fri Jul 2 22:02:10 EDT 2004


Rule:  WEB-IIS .asp chunked Transfer-Encoding

--
Sid: 1618

--
False Positives:
Current version of the rule matches even if string "chunked" 
precedes the Transfer-Encoding header, such as being part of
the URL.


I am proposing to add "distance":

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS 
(msg:"WEB-IIS .asp chunked Transfer-Encoding"; 
flow:to_server,established; uricontent:".asp"; nocase; 
content:"Transfer-Encoding|3A|"; nocase; 
content:"chunked"; nocase; distance:0;
reference:bugtraq,4474; reference:bugtraq,4485; 
reference:cve,2002-0071; reference:cve,2002-0079; 
reference:nessus,10932; 
classtype:web-application-attack; sid:1618; rev:15;)

Alternatively this could be resolved by converting to PCRE.




More information about the Snort-sigs mailing list