[Snort-sigs] Invalid HTTP still giving lots of FP's

Kevin Peuhkurinen kevin.peuhkurinen at ...1555...
Wed Jun 23 12:04:02 EDT 2004

Rule 2570 (WEB-MISC Invalid HTTP Version String) is still giving me lots 
of false positives -- several hundred per day.   They all appear to be 
from various proxy servers that are running Intokmi Traffic Server.  
Here is an example of a triggered packet:

GET / HTTP/1.0..User-Agent: Mozilla/4.75 [en]C-BESI  (WinNT; U)..Accept: 
image/gif, image/x-xbitmap, image/jpeg,image/pjpeg, image/png, 
*/*..Accept-Encoding: gzip..Accept-Language: en..Accept-Charset: 
keep-alive..Via: HTTP/1.0 MontrealCluster[AC1FFE96] 
(Traffic-Server/5.1.3 [uScH])..Host:....

I've disabled the rule for the time being.

More information about the Snort-sigs mailing list