[Snort-sigs] Interesting false positive for HTTP_Connect
security at ...704...
Sun Jul 18 12:49:04 EDT 2004
The space after CONNECT got removed.
it should be content:"CONNECT " not content:"CONNECT"
For that matter it should be done up something like
content:"CONNECT"; nocase; pcre:"/^CONNECT\s*/smi"
but that will have to wait till later.
Matthew Jonkman wrote:
> Take that abck, tested it before posting it and it's still hitting on
> every http request.
> Jason, do you think it's hitting on "Connection: Keep Alive" in these
> packets? Since there's a nocase on the connect it would hit here.
> Matthew Jonkman wrote:
>> Jason wrote:
>>> So I should not do rules after 6pm, not on weekends, and only when I
>>> have the time to test them, apologies to anyone that got inundated
>>> with crap alerts.
>> My only rule is a 2 drink maximum before I post something. Not that
>> that's never been violated. Guess it's more of a "guideline" than a
>> rule. :)
>>> Here is an updated version that fixes a problem with the alignment of
>>> HTTP/1. and adds within to the negative tests. I did not see any
>>> false positives across a few gigs of traffic and it fires when I hit
>>> a proxy connecting to a non standard web port. I also did not put in
>>> flow which is just plain stupid.
>> The new version is posted on bleedingsnort and doing well. Thanks
>> Jason, great work.
>> alert tcp any any -> any any ( msg:"BLEEDING-EDGE HTTP CONNECT Tunnel
>> Attempt"; content:"CONNECT"; nocase; content:"|0d 0a|"; distance:0;
>> within:1024; content:"HTTP/1."; distance:-10; within:8; nocase;
>> content:!"\:80"; distance:-11; within:4; content:"CONNECT"; nocase;
>> content:"|0d 0a|"; distance:0; within:1024; content:"HTTP/1.";
>> distance:-10; within:8; nocase; content:!"\:443"; distance:-12;
>> within:5; flow:to_server,established; sid:2000560; rev:2; )
> This SF.Net email is sponsored by BEA Weblogic Workshop
> FREE Java Enterprise J2EE developer tools!
> Get your free copy of BEA WebLogic Workshop 8.1 today.
> Snort-sigs mailing list
> Snort-sigs at lists.sourceforge.net
More information about the Snort-sigs