[Snort-sigs] False Positive

Pendleton, Adam (HQ-LD070)[SAIC] APendlet at ...2955...
Thu Jan 13 06:47:24 EST 2005


# This is a template for submitting snort signature descriptions to
# the snort.org website
#
# Ensure that your descriptions are your own
# and not the work of others.  References in the rules themselves
# should be used for linking to other's work. 
#
# If you are unsure of some part of a rule, use that as a commentary
# and someone else perhaps will be able to fix it.
# 
# $Id$
#
# 

Rule:  
WEB-MISC .DS_Store access
--
Sid:
1769 
--
Summary:
This rule triggers when Mac users access their iDisk.
--
Impact:
False positive.
--
Detailed Information:
The .DS_Store file is created by a Mac system when it accesses a folder.  Users who mount iDrives from .Mac, mount these drives over HTTP.  When they access a folder, they do a PROPFIND on the .DS_Store file, triggering this alert.
--
Affected Systems:
Macs accessing iDrives.
--
Attack Scenarios:
N/A
--
Ease of Attack:

--
False Positives:
This is a false posisitve, not a real attack.
--
False Negatives:

--
Corrective Action:

--
Contributors:

-- 
Additional References:

000 : 50 52 4F 50 46 49 4E 44 20 2F 6D 72 62 63 75 64   PROPFIND /mrbcud
010 : 61 2F 2E 44 53 5F 53 74 6F 72 65 20 48 54 54 50   a/.DS_Store HTTP
020 : 2F 31 2E 31 0D 0A 55 73 65 72 2D 41 67 65 6E 74   /1.1..User-Agent
030 : 3A 20 57 65 62 44 41 56 46 53 2F 31 2E 32 2E 37   : WebDAVFS/1.2.7
040 : 20 28 30 31 32 37 38 30 30 30 29 20 44 61 72 77    (01278000) Darw
050 : 69 6E 2F 37 2E 37 2E 30 20 28 50 6F 77 65 72 20   in/7.7.0 (Power 
060 : 4D 61 63 69 6E 74 6F 73 68 29 0D 0A 41 63 63 65   Macintosh)..Acce
070 : 70 74 3A 20 2A 2F 2A 0D 0A 48 6F 73 74 3A 20 69   pt: */*..Host: i
080 : 64 69 73 6B 2E 6D 61 63 2E 63 6F 6D 3A 38 30 0D   disk.mac.com:80.
090 : 0A 43 6F 6E 74 65 6E 74 2D 54 79 70 65 3A 20 74   .Content-Type: t
0a0 : 65 78 74 2F 78 6D 6C 0D 0A 44 65 70 74 68 3A 20   ext/xml..Depth: 
0b0 : 30 0D 0A 43 6F 6E 74 65 6E 74 2D 4C 65 6E 67 74   0..Content-Lengt
0c0 : 68 3A 20 31 36 34 0D 0A 41 75 74 68 6F 72 69 7A   h: 164..Authoriz
0d0 : 61 74 69 6F 6E 3A 20 44 69 67 65 73 74 20 75 73   ation: Digest us
0e0 : 65 72 6E 61 6D 65 3D 22 6D 72 62 63 75 64 61 22   ername="mrbcuda"
0f0 : 2C 20 72 65 61 6C 6D 3D 22 6D 72 62 63 75 64 61   , realm="mrbcuda
100 : 40 6D 61 63 2E 63 6F 6D 22 2C 20 6E 6F 6E 63 65   @mac.com", nonce
110 : 3D 22 51 65 4B 70 38 77 3D 3D 65 39 63 38 38 32   ="QeKp8w==e9c882
120 : 31 61 38 37 62 35 31 37 32 30 31 65 32 36 64 30   1a87b517201e26d0
130 : 64 65 32 31 66 37 30 63 38 63 36 32 36 31 61 66   de21f70c8c6261af
140 : 65 38 22 2C 20 75 72 69 3D 22 68 74 74 70 3A 2F   e8", uri="http:/
150 : 2F 69 64 69 73 6B 2E 6D 61 63 2E 63 6F 6D 2F 6D   /idisk.mac.com/m
160 : 72 62 63 75 64 61 2F 2E 44 53 5F 53 74 6F 72 65   rbcuda/.DS_Store
170 : 22 2C 20 72 65 73 70 6F 6E 73 65 3D 22 34 39 32   ", response="492
180 : 30 66 39 63 64 36 37 36 34 32 38 34 30 32 38 64   0f9cd6764284028d
190 : 39 63 61 31 38 32 66 36 65 61 39 34 30 22 2C 20   9ca182f6ea940", 
1a0 : 61 6C 67 6F 72 69 74 68 6D 3D 22 4D 44 35 22 2C   algorithm="MD5",
1b0 : 20 71 6F 70 3D 22 61 75 74 68 22 2C 20 6E 63 3D    qop="auth", nc=
1c0 : 30 30 30 31 36 37 38 35 2C 20 63 6E 6F 6E 63 65   00016785, cnonce
1d0 : 3D 22 4E 44 46 6B 5A 57 49 79 4E 44 55 36 4D 44   ="NDFkZWIyNDU6MD
1e0 : 41 77 4D 44 56 6A 5A 54 59 3D 22 0D 0A 43 6F 6E   AwMDVjZTY="..Con
1f0 : 6E 65 63 74 69 6F 6E 3A 20 63 6C 6F 73 65 0D 0A   nection: close..
200 : 0D 0A                                             ..
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-sigs/attachments/20050113/c3cd5adc/attachment.html>


More information about the Snort-sigs mailing list