[Snort-sigs] False positives on 1618.14 (WEB-IIS .asp chunked Transfer-Encoding)
bmc at ...95...
Tue Jul 6 08:09:16 EDT 2004
On Fri, Jul 02, 2004 at 10:00:00PM -0600, nnposter at ...592... wrote:
> Rule: WEB-IIS .asp chunked Transfer-Encoding
> Sid: 1618
> False Positives:
> Current version of the rule matches even if string "chunked"
> precedes the Transfer-Encoding header, such as being part of
> the URL.
> I am proposing to add "distance":
> alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS
> (msg:"WEB-IIS .asp chunked Transfer-Encoding";
> flow:to_server,established; uricontent:".asp"; nocase;
> content:"Transfer-Encoding|3A|"; nocase;
> content:"chunked"; nocase; distance:0;
> reference:bugtraq,4474; reference:bugtraq,4485;
> reference:cve,2002-0071; reference:cve,2002-0079;
> classtype:web-application-attack; sid:1618; rev:15;)
> Alternatively this could be resolved by converting to PCRE.
More information about the Snort-sigs