[Snort-sigs] False positives on 1806.7 (WEB-IIS .htr chunked Transfer-Encoding)

Brian bmc at ...95...
Tue Jul 6 08:10:05 EDT 2004


On Fri, Jul 02, 2004 at 10:07:00PM -0600, nnposter at ...592... wrote:
> 
> Rule:  WEB-IIS .htr chunked Transfer-Encoding
> 
> --
> Sid: 1806
> 
> --
> False Positives:
> Current version of the rule matches even if string "chunked" 
> precedes the Transfer-Encoding header, such as being part of
> the URL.
> 
> 
> I am proposing to add "distance":
> 
> alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS 
> (msg:"WEB-IIS .htr chunked Transfer-Encoding"; 
> flow:to_server,established; uricontent:".htr"; nocase; 
> content:"Transfer-Encoding|3A|"; nocase; 
> content:"chunked"; nocase; distance:0;
> reference:bugtraq,4855; reference:bugtraq,5003; 
> reference:cve,2002-0364; 
> classtype:web-application-attack; sid:1806; rev:8;)
> 
> Alternatively this could be resolved by converting to PCRE.

yep




More information about the Snort-sigs mailing list