[Snort-sigs] False positives for SID 972

nnposter at ...592... nnposter at ...592...
Fri May 28 15:22:02 EDT 2004

From: nnposter at ...592...
>> From: Gunnar Wolf <gwolf at ...2486...>
>> My system is generating lots of false positives for SID 972 (WEB-IIS
>> %2E-asp access). I am attaching here the payload for one example:
> <snip> 
>> (msg:"WEB-IIS %2E-asp access"; flow:to_server,established; 
>> content:"^[^\?]+%2easp"; nocase; reference:bugtraq,1814; 
>> reference:cve,CAN-1999-0253; classtype:web-application-activity;
>> sid:972; rev:7;)
>> or something equivalent - What triggered this false positive is that
>> the .asp is correctly invoked, but after the '?' we see a '%2easp'
>> string. The modification I suggest requires no '?' character to appear
>> before the %2easp. 
> You cannot use regular expressions in "content". Use "pcre" instead.
> Nevertheless, you are correct in that the rule could be tightened down.
> See my message "False positives on 1:1054:6" from 5/6/04 regarding 
> a similar issue.

This should help with the false positives:

(msg:"WEB-IIS %2E-asp access"; flow:to_server,established; 
uricontent:".asp"; nocase; content:"%2easp"; nocase; 
pcre:"/^[A-Z]+\s+[^\n\s\?]*%/sm"; reference:bugtraq,1814; 
reference:cve,CAN-1999-0253; classtype:web-application-activity;)

More information about the Snort-sigs mailing list