[Snort-sigs] False Positive

Nigel Houghton nigel at ...435...
Mon Jan 17 07:36:51 EST 2005


On  0, "Pendleton, Adam (HQ-LD070)[SAIC]" <APendlet at ...2955...> allegedly wrote:

>    The  .DS_Store  file  is  created  by  a Mac system when it accesses a
>    folder.   Users  who  mount iDrives from .Mac, mount these drives over
>    HTTP.   When they access a folder, they do a PROPFIND on the .DS_Store
>    file, triggering this alert.

Are you saying that you allow Mac users to remotely mount a volume on a
web server from outside your internal network?

Here's the rule:

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS \
(msg:"WEB-MISC .DS_Store access"; flow:to_server,established; \
uricontent:"/.DS_Store"; \
reference:url,www.macintouch.com/mosxreaderreports46.html; \
classtype:web-application-activity; sid:1769; rev:3;)

Now, are your $EXTERNAL_NET and $HOME_NET variables correctly set? Do
you have the latest version of the rule? Have you modified the rule at
all?

+-----------------------------------------------------------------+
    Nigel Houghton      Research Engineer       Sourcefire Inc.
                  Vulnerability Research Team

 Stewie: You know, I rather like this God fellow. Very theatrical, 
         you know. Pestilence here, a plague there. Omnipotence 
				 ...gotta get me some of that.




More information about the Snort-sigs mailing list