[Snort-sigs] Interesting false positive for HTTP_Connect
matt at ...2436...
Sun Jul 18 11:20:00 EDT 2004
> So I should not do rules after 6pm, not on weekends, and only when I
> have the time to test them, apologies to anyone that got inundated with
> crap alerts.
My only rule is a 2 drink maximum before I post something. Not that
that's never been violated. Guess it's more of a "guideline" than a
> Here is an updated version that fixes a problem with the alignment of
> HTTP/1. and adds within to the negative tests. I did not see any false
> positives across a few gigs of traffic and it fires when I hit a proxy
> connecting to a non standard web port. I also did not put in flow which
> is just plain stupid.
The new version is posted on bleedingsnort and doing well. Thanks Jason,
alert tcp any any -> any any ( msg:"BLEEDING-EDGE HTTP CONNECT Tunnel
Attempt"; content:"CONNECT"; nocase; content:"|0d 0a|"; distance:0;
within:1024; content:"HTTP/1."; distance:-10; within:8; nocase;
content:!"\:80"; distance:-11; within:4; content:"CONNECT"; nocase;
content:"|0d 0a|"; distance:0; within:1024; content:"HTTP/1.";
distance:-10; within:8; nocase; content:!"\:443"; distance:-12;
within:5; flow:to_server,established; sid:2000560; rev:2; )
More information about the Snort-sigs