[Snort-sigs] False positive in 882.5 (WEB-CGI calendar access)

nnposter nnposter at ...592...
Fri Feb 4 13:24:57 EST 2005


Rule:  WEB-CGI calendar access

--
Sid: 882

--

False Positive
The current version of the rule will match on any URI containing 
/calendar, not just /calendar.pl or /calendar_admin.pl. It seems 
the rule could be substantially more accurate if the following 
PCRE is added:


alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS
(msg:"WEB-CGI calendar access"; 
flow:to_server,established; 
uricontent:"/calendar"; nocase; 
pcre:"/\/calendar(_admin)?\.pl\b/iU"; 
classtype:attempted-recon; sid:882; rev:6;) 




More information about the Snort-sigs mailing list