[Snort-sigs] False positives on 1618.14 (WEB-IIS .asp chunked Transfer-Encoding)

Brian bmc at ...95...
Tue Jul 6 08:09:16 EDT 2004


On Fri, Jul 02, 2004 at 10:00:00PM -0600, nnposter at ...592... wrote:
> 
> Rule:  WEB-IIS .asp chunked Transfer-Encoding
> 
> --
> Sid: 1618
> 
> --
> False Positives:
> Current version of the rule matches even if string "chunked" 
> precedes the Transfer-Encoding header, such as being part of
> the URL.
> 
> 
> I am proposing to add "distance":
> 
> alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS 
> (msg:"WEB-IIS .asp chunked Transfer-Encoding"; 
> flow:to_server,established; uricontent:".asp"; nocase; 
> content:"Transfer-Encoding|3A|"; nocase; 
> content:"chunked"; nocase; distance:0;
> reference:bugtraq,4474; reference:bugtraq,4485; 
> reference:cve,2002-0071; reference:cve,2002-0079; 
> reference:nessus,10932; 
> classtype:web-application-attack; sid:1618; rev:15;)
> 
> Alternatively this could be resolved by converting to PCRE.

Yep.




More information about the Snort-sigs mailing list