[Snort-sigs] False positives on 1807.9 (WEB-MISC Chunked-Encoding transfer attempt)

nnposter at ...592... nnposter at ...592...
Fri Jul 2 22:15:04 EDT 2004

Rule:  WEB-MISC Chunked-Encoding transfer attempt

Sid: 1807

False Positives:
Current version of the rule matches even if string "chunked" 
precedes the Transfer-Encoding header, such as being part of
the URL.

I am proposing to add "distance":

(msg:"WEB-MISC Chunked-Encoding transfer attempt"; 
content:"Transfer-Encoding|3A|"; nocase; 
content:"chunked"; nocase; distance:0;
reference:bugtraq,4474; reference:bugtraq,4485; 
reference:bugtraq,5033; reference:cve,2002-0071; 
reference:cve,2002-0079; reference:cve,2002-0392; 
classtype:web-application-attack; sid:1807; rev:10;)

Alternatively this could be resolved by converting to PCRE.

More information about the Snort-sigs mailing list