[Snort-sigs] Re: Holy False Positives Batman

John J. Nagro jnagro at ...289...
Wed Jun 16 13:39:05 EDT 2004


On 16.Jun.2004 12:03PM -0400, Brian wrote:

Did you push the rule out yet?

does this mean the within should be 5 and not 4?

-John Nagro

> On Tue, Jun 15, 2004 at 02:47:06PM -0500, Matthew Jonkman wrote:
> > Here's the rule to save everyone looking it up:
> > 
> > alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC 
> > Invalid HTTP Version String"; flow:to_server,established; content:
> > "HTTP/"; isdataat:6,relative; content:!"|0A|"; within:4; 
> > reference:bugtraq,9809; reference:nessus,11593; 
> > classtype:non-standard-protocol; sid:2570; rev:3;)
> 
> Yep, the rule is broken.
> 
> Increase the within by 1.  I'll be pushing out an updated rule
> shortly.
> 
> Brian
> 
> 
> -------------------------------------------------------
> This SF.Net email is sponsored by The 2004 JavaOne(SM) Conference
> Learn from the experts at JavaOne(SM), Sun's Worldwide Java Developer
> Conference, June 28 - July 1 at the Moscone Center in San Francisco, CA
> REGISTER AND SAVE! http://java.sun.com/javaone/sf Priority Code NWMGYKND
> _______________________________________________
> Snort-sigs mailing list
> Snort-sigs at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/snort-sigs

-- 




More information about the Snort-sigs mailing list