[Snort-sigs] False Positive for SID 2570

Lutz Schildt ls at ...2172...
Sat Jun 26 17:50:01 EDT 2004


Hi there,

 

Since a few days I keep getting false positives for SID 2570. The payload

Of the packets always looks like the following. I have cut off the not so

Interesting part. Every alert seems to be triggered if the Traffic-Server

Proxy is used.

 

>>>> snip <<<<

000 : 47 45 54 20 2F 20 48 54 54 50 2F 31 2E 30 0D 0A   GET / HTTP/1.0..

010 : 41 63 63 65 70 74 3A 20 69 6D 61 67 65 2F 67 69   Accept: image/gi

...

160 : 76 65 0D 0A 56 69 61 3A 20 48 54 54 50 2F 31 2E   ve..Via: HTTP/1.

170 : 31 20 70 72 6F 78 79 5B 41 43 31 45 31 37 34 39   1 proxy[AC1E1749

180 : 5D 20 28 54 72 61 66 66 69 63 2D 53 65 72 76 65   ] (Traffic-Serve

190 : 72 2F 35 2E 35 2E 31 2D 35 39 30 39 36 20 5B 75   r/5.5.1-59096 [u

1a0 : 53 63 4D 5D 29 0D 0A 0D 0A                        ScM])....

>>>> snip <<<<

 

Best Regards

 

Lutz Schildt

---
mcb multimedia-centrum bremerhaven GmbH
Schifferstraße 10 - 14
D-27568 Bremerhaven

www http://www.mcb-bremerhaven.de <http://www.mcb-bremerhaven.de/> 
mail ls at ...2172... <mailto:ls at ...2172...>  
tel 0471 92626 12
fax 0471 92626 17

 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-sigs/attachments/20040626/0fe781fa/attachment.html>


More information about the Snort-sigs mailing list