[Snort-sigs] Invalid HTTP still giving lots of FP's

Nigel Houghton nigel at ...435...
Wed Jun 23 12:14:10 EDT 2004


On  0, Kevin Peuhkurinen <kevin.peuhkurinen at ...1555...> allegedly wrote:
> Rule 2570 (WEB-MISC Invalid HTTP Version String) is still giving me lots 
> of false positives -- several hundred per day.   They all appear to be 
> from various proxy servers that are running Intokmi Traffic Server.  
> Here is an example of a triggered packet:
> 
> GET / HTTP/1.0..User-Agent: Mozilla/4.75 [en]C-BESI  (WinNT; U)..Accept: 
> image/gif, image/x-xbitmap, image/jpeg,image/pjpeg, image/png, 
> */*..Accept-Encoding: gzip..Accept-Language: en..Accept-Charset: 
> iso-8859-1,*,utf-8..Client-ip: 142.122.67.229..Connection: 
> keep-alive..Via: HTTP/1.0 MontrealCluster[AC1FFE96] 
> (Traffic-Server/5.1.3 [uScH])..Host:....
> 
> I've disabled the rule for the time being.

Make sure you actually have the latest version of this rule, it should be
rev:6 and looks like this...

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC
Invalid HTTP Version String"; flow:to_server,established; content:"HTTP/";
isdataat:6,relative; content:!"|0A|"; within:5; reference:bugtraq,9809;
reference:nessus,11593; classtype:non-standard-protocol; sid:2570; rev:6;)

If this version is giving the false positives can you grab some packet
capture data that triggers the event (tcpdump format)? Please send it 
along if you can so we can take a close look at it.

-------------------------------------------------------------
Nigel Houghton       Research Engineer        Sourcefire Inc.
                 Vulnerability Research Team

In an emergency situation involving two or more officers of equal rank,
seniority will be granted to whichever officer can program a vcr.




More information about the Snort-sigs mailing list