[Snort-sigs] False positives on 1807.9 (WEB-MISC Chunked-Encoding transfer attempt)

Brian bmc at ...95...
Tue Jul 6 08:10:18 EDT 2004


yep
On Fri, Jul 02, 2004 at 10:12:00PM -0600, nnposter at ...592... wrote:
> 
> Rule:  WEB-MISC Chunked-Encoding transfer attempt
> 
> --
> Sid: 1807
> 
> --
> False Positives:
> Current version of the rule matches even if string "chunked" 
> precedes the Transfer-Encoding header, such as being part of
> the URL.
> 
> 
> I am proposing to add "distance":
> 
> alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS 
> (msg:"WEB-MISC Chunked-Encoding transfer attempt"; 
> flow:to_server,established; 
> content:"Transfer-Encoding|3A|"; nocase; 
> content:"chunked"; nocase; distance:0;
> reference:bugtraq,4474; reference:bugtraq,4485; 
> reference:bugtraq,5033; reference:cve,2002-0071; 
> reference:cve,2002-0079; reference:cve,2002-0392; 
> classtype:web-application-attack; sid:1807; rev:10;)
> 
> Alternatively this could be resolved by converting to PCRE.
> 
> 
> -------------------------------------------------------
> This SF.Net email sponsored by Black Hat Briefings & Training.
> Attend Black Hat Briefings & Training, Las Vegas July 24-29 - 
> digital self defense, top technical experts, no vendor pitches, 
> unmatched networking opportunities. Visit www.blackhat.com
> _______________________________________________
> Snort-sigs mailing list
> Snort-sigs at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/snort-sigs
> 




More information about the Snort-sigs mailing list