[Snort-sigs] False positive in 882.5 (WEB-CGI calendar access)

BoFH BoFH at ...2981...
Fri Feb 4 13:32:24 EST 2005


On  0, nnposter <nnposter at ...592...> said:
> 
> Rule:  WEB-CGI calendar access
> 
> --
> Sid: 882
> 
> --
> 
> False Positive
> The current version of the rule will match on any URI containing 
> /calendar, not just /calendar.pl or /calendar_admin.pl. It seems 
> the rule could be substantially more accurate if the following 
> PCRE is added:
> 
> 
> alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS
> (msg:"WEB-CGI calendar access"; 
> flow:to_server,established; 
> uricontent:"/calendar"; nocase; 
> pcre:"/\/calendar(_admin)?\.pl\b/iU"; 
> classtype:attempted-recon; sid:882; rev:6;) 

Except that you could be using calendar.cgi or just not using an
extension at all.

-- 
BoFH

excuse #446:
Mailer-daemon is busy burning your message in hell




More information about the Snort-sigs mailing list