[Snort-sigs] False positives on 1807.9 (WEB-MISC Chunked-Encoding transfer attempt)

nnposter at ...592... nnposter at ...592...
Fri Jul 2 22:15:04 EDT 2004


Rule:  WEB-MISC Chunked-Encoding transfer attempt

--
Sid: 1807

--
False Positives:
Current version of the rule matches even if string "chunked" 
precedes the Transfer-Encoding header, such as being part of
the URL.


I am proposing to add "distance":

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS 
(msg:"WEB-MISC Chunked-Encoding transfer attempt"; 
flow:to_server,established; 
content:"Transfer-Encoding|3A|"; nocase; 
content:"chunked"; nocase; distance:0;
reference:bugtraq,4474; reference:bugtraq,4485; 
reference:bugtraq,5033; reference:cve,2002-0071; 
reference:cve,2002-0079; reference:cve,2002-0392; 
classtype:web-application-attack; sid:1807; rev:10;)

Alternatively this could be resolved by converting to PCRE.




More information about the Snort-sigs mailing list