[Snort-sigs] Re: Holy False Positives Batman

Brian bmc at ...95...
Wed Jun 16 09:04:12 EDT 2004


On Tue, Jun 15, 2004 at 02:47:06PM -0500, Matthew Jonkman wrote:
> Here's the rule to save everyone looking it up:
> 
> alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC 
> Invalid HTTP Version String"; flow:to_server,established; content:
> "HTTP/"; isdataat:6,relative; content:!"|0A|"; within:4; 
> reference:bugtraq,9809; reference:nessus,11593; 
> classtype:non-standard-protocol; sid:2570; rev:3;)

Yep, the rule is broken.

Increase the within by 1.  I'll be pushing out an updated rule
shortly.

Brian




More information about the Snort-sigs mailing list