[Snort-sigs] Interesting false positive for HTTP_Connect

Matthew Jonkman matt at ...2436...
Sun Jul 18 11:30:04 EDT 2004


Take that abck, tested it before posting it and it's still hitting on 
every http request.

Jason, do you think it's hitting on "Connection: Keep Alive" in these 
packets? Since there's a nocase on the connect it would hit here.

Matt

Matthew Jonkman wrote:

> Jason wrote:
> 
>> So I should not do rules after 6pm, not on weekends, and only when I 
>> have the time to test them, apologies to anyone that got inundated 
>> with crap alerts.
> 
> 
> My only rule is a 2 drink maximum before I post something. Not that 
> that's never been violated. Guess it's more of a "guideline" than a 
> rule.  :)
> 
>>
>> Here is an updated version that fixes a problem with the alignment of 
>> HTTP/1. and adds within to the negative tests. I did not see any false 
>> positives across a few gigs of traffic and it fires when I hit a proxy 
>> connecting to a non standard web port. I also did not put in flow 
>> which is just plain stupid.
> 
> 
> The new version is posted on bleedingsnort and doing well. Thanks Jason, 
> great work.
> 
> alert tcp any any -> any any ( msg:"BLEEDING-EDGE HTTP CONNECT Tunnel 
> Attempt"; content:"CONNECT"; nocase; content:"|0d 0a|"; distance:0; 
> within:1024; content:"HTTP/1."; distance:-10; within:8; nocase; 
> content:!"\:80"; distance:-11; within:4; content:"CONNECT"; nocase; 
> content:"|0d 0a|"; distance:0; within:1024; content:"HTTP/1."; 
> distance:-10; within:8; nocase; content:!"\:443"; distance:-12; 
> within:5; flow:to_server,established; sid:2000560; rev:2; )
> 
> Matt
> 




More information about the Snort-sigs mailing list