[Snort-sigs] False positives for SID 972

nnposter at ...592... nnposter at ...592...
Tue May 18 08:55:03 EDT 2004


> Date: Fri, 14 May 2004 15:48:18 -0600
> From: Gunnar Wolf <gwolf at ...2486...>
> 
> My system is generating lots of false positives for SID 972 (WEB-IIS
> %2E-asp access). I am attaching here the payload for one example:

<snip> 

> alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS %2E-asp access"; flow:to_server,established; content:"^[^\?]+%2easp"; nocase; reference:bugtraq,1814; reference:cve,CAN-1999-0253; classtype:web-application-activity; sid:972; rev:7;)
> 
> or something equivalent - What triggered this false positive is that
> the .asp is correctly invoked, but after the '?' we see a '%2easp'
> string. The modification I suggest requires no '?' character to appear
> before the %2easp. 

You cannot use regular expressions in "content". Use "pcre" instead.
Nevertheless, you are correct in that the rule could be tightened down.
See my message "False positives on 1:1054:6" from 5/6/04 regarding 
a similar issue.




More information about the Snort-sigs mailing list