[Snort-sigs] Interesting false positive for HTTP_Connect

Matthew Jonkman matt at ...2436...
Sun Jul 18 11:20:00 EDT 2004


Jason wrote:

> So I should not do rules after 6pm, not on weekends, and only when I 
> have the time to test them, apologies to anyone that got inundated with 
> crap alerts.

My only rule is a 2 drink maximum before I post something. Not that 
that's never been violated. Guess it's more of a "guideline" than a 
rule.  :)

> 
> Here is an updated version that fixes a problem with the alignment of 
> HTTP/1. and adds within to the negative tests. I did not see any false 
> positives across a few gigs of traffic and it fires when I hit a proxy 
> connecting to a non standard web port. I also did not put in flow which 
> is just plain stupid.

The new version is posted on bleedingsnort and doing well. Thanks Jason, 
great work.

alert tcp any any -> any any ( msg:"BLEEDING-EDGE HTTP CONNECT Tunnel 
Attempt"; content:"CONNECT"; nocase; content:"|0d 0a|"; distance:0; 
within:1024; content:"HTTP/1."; distance:-10; within:8; nocase; 
content:!"\:80"; distance:-11; within:4; content:"CONNECT"; nocase; 
content:"|0d 0a|"; distance:0; within:1024; content:"HTTP/1."; 
distance:-10; within:8; nocase; content:!"\:443"; distance:-12; 
within:5; flow:to_server,established; sid:2000560; rev:2; )

Matt




More information about the Snort-sigs mailing list