[Snort-sigs] False positive with Nagios check_http

Frank Knobbe frank at ...1978...
Mon Feb 7 10:01:29 EST 2005


On Mon, 2005-02-07 at 11:52 +0100, Carsten Schmitz wrote:
> I keep getting the alert below from the office box running Nagios 1.2
> checking my home web site (where Snort lives). Not sure if this is a false
> positive, maybe the plugin violates some standard?
>
> Rule: nessus[bugtraq][snort] WEB-MISC Invalid HTTP Version String
> Detailed Information:
> 000 : 47 45 54 20 2F 20 48 54 54 50 2F 31 2E 30 0D 0A   GET / HTTP/1.0..
> 010 : 55 73 65 72 2D 41 67 65 6E 74 3A 20 63 68 65 63   User-Agent: chec
> 020 : 6B 5F 68 74 74 70 2F 31 2E 35 34 20 28 6E 61 67   k_http/1.54 (nag
> 030 : 69 6F 73 2D 70 6C 75 67 69 6E 73 20 31 2E 34 2E   ios-plugins 1.4.
> 040 : 30 61 6C 70 68 61 31 29 0D 0A 48 6F 73 74 3A 20   0alpha1)..Host:
> 050 : 32 31 33 2E 38 34 2E 31 39 32 2E 37 33 0D 0A 0D   xxx.xx.xxx.xx...
> 060 : 0A                                                .

Rule Detail:
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC
Invalid HTTP Version String"; flow:to_server,established;
content:"HTTP/"; nocase; isdataat:6,relative; content:!"|0A|"; within:5;
reference:bugtraq,9809; reference:nessus,11593;
classtype:non-standard-protocol; sid:2570; rev:7;)


Nope, it does what it is supposed to do. It looks for HTTP/ and checks
if there is a LF within 5 bytes. 

In your packet it matched on the "http/" in "check_http/1.54" but of
course doesn't see a LF within 5 bytes (where it says "(nagios-plugins).


A proposed solution might be to look for " HTTP/" since the user agent
doesn't contain a space and (iirc) the HTTP spec defines a space before
HTTP/x.x.

Regards,
Frank

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 187 bytes
Desc: This is a digitally signed message part
URL: <https://lists.snort.org/pipermail/snort-sigs/attachments/20050207/87d39e91/attachment.sig>


More information about the Snort-sigs mailing list