[Snort-sigs] Re: Holy False Positives Batman

Matthew Jonkman matt at ...2436...
Tue Jun 15 12:48:03 EDT 2004


Here's the rule to save everyone looking it up:

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC 
Invalid HTTP Version String"; flow:to_server,established; content:
"HTTP/"; isdataat:6,relative; content:!"|0A|"; within:4; 
reference:bugtraq,9809; reference:nessus,11593; 
classtype:non-standard-protocol; sid:2570; rev:3;)

Matthew Jonkman wrote:

> Nice work on all the new signature changes Brian. Except one of them. 
> 2570 is hitting a false positive on about every http hit in and out of 
> networks we watch. I can't find anything unusual about what it's hitting 
> on.
> 
> Anyone else seeing this?
> 
> Matt
> 

-- 
--------------------------------------------
Matthew Jonkman, CISSP
Senior Security Engineer





More information about the Snort-sigs mailing list