[Snort-sigs] False Positive

fmonkey at ...2963... fmonkey at ...2963...
Tue Jan 18 06:41:00 EST 2005


# This is a template for submitting snort signature descriptions to
# the snort.org website
#
# Ensure that your descriptions are your own
# and not the work of others.  References in the rules themselves
# should be used for linking to other's work.
#
# If you are unsure of some part of a rule, use that as a commentary
# and someone else perhaps will be able to fix it.
#
# $Id$
#
#

Rule:  WEB-IIS %2E-asp access
--
Sid: 972
--
Summary:  Google toolbar encodes period when checking on updates to web
pages.
--
Impact: N/A

--
Detailed Information:  It appears the Google toolbar checks for the
"freshness" of a page, and encodes the URL of the page as part of the
request to the Google server.  This triggers the alert, but there is no
attack.

--
Affected Systems:

--
Attack Scenarios:

--
Ease of Attack:

--
False Positives:  This is a false positive.  Packet dump below.


 length = 451

000 : 47 45 54 20 2F 73 65 61 72 63 68 3F 63 6C 69 65   GET /search?clie
010 : 6E 74 3D 6E 61 76 63 6C 69 65 6E 74 2D 61 75 74   nt=navclient-aut
020 : 6F 26 63 68 3D 36 32 33 33 37 38 35 33 31 36 35   o&ch=62337853165
030 : 26 66 72 65 73 68 6E 65 73 73 5F 63 68 65 63 6B   &freshness_check
040 : 3D 34 5A 37 57 34 53 45 31 31 70 4E 5F 5F 72 5F   =4Z7W4SE11pN__r_
050 : 6C 4E 78 61 59 77 26 69 71 72 6E 3D 31 61 56 26   lNxaYw&iqrn=1aV&
060 : 69 65 3D 55 54 46 2D 38 26 6F 65 3D 55 54 46 2D   ie=UTF-8&oe=UTF-
070 : 38 26 66 65 61 74 75 72 65 73 3D 52 61 6E 6B 26   8&features=Rank&
080 : 71 3D 69 6E 66 6F 3A 68 74 74 70 25 33 41 25 32   q=info:http%3A%2
090 : 46 25 32 46 65 6C 65 61 72 6E 69 6E 67 25 32 45   F%2Felearning%2E
0a0 : 65 73 69 25 32 44 69 6E 74 6C 25 32 45 63 6F 6D   esi%2Dintl%2Ecom
0b0 : 25 32 46 25 35 46 79 6F 67 61 25 32 46 73 63 72   %2F%5Fyoga%2Fscr
0c0 : 69 70 74 73 25 32 46 70 64 69 25 32 45 61 73 70   ipts%2Fpdi%2Easp
0d0 : 25 33 46 20 48 54 54 50 2F 31 2E 31 0D 0A 55 73   %3F HTTP/1.1..Us
0e0 : 65 72 2D 41 67 65 6E 74 3A 20 4D 6F 7A 69 6C 6C   er-Agent: Mozill
0f0 : 61 2F 34 2E 30 20 28 63 6F 6D 70 61 74 69 62 6C   a/4.0 (compatibl
100 : 65 3B 20 47 6F 6F 67 6C 65 54 6F 6F 6C 62 61 72   e; GoogleToolbar
110 : 20 32 2E 30 2E 31 31 34 2E 39 2D 62 69 67 3B 20    2.0.114.9-big;
120 : 57 69 6E 64 6F 77 73 20 58 50 20 35 2E 31 29 0D   Windows XP 5.1).
130 : 0A 48 6F 73 74 3A 20 74 6F 6F 6C 62 61 72 71 75   .Host: toolbarqu
140 : 65 72 69 65 73 2E 67 6F 6F 67 6C 65 2E 63 6F 6D   eries.google.com
150 : 0D 0A 43 61 63 68 65 2D 43 6F 6E 74 72 6F 6C 3A   ..Cache-Control:
160 : 20 6E 6F 2D 63 61 63 68 65 0D 0A 43 6F 6F 6B 69    no-cache..Cooki
170 : 65 3A 20 50 52 45 46 3D 49 44 3D 37 62 61 63 66   e: PREF=ID=7bacf
180 : 63 37 63 32 66 64 65 34 61 38 36 3A 54 4D 3D 31   c7c2fde4a86:TM=1
190 : 30 39 35 31 30 37 34 36 30 3A 4C 4D 3D 31 30 39   095107460:LM=109
1a0 : 35 31 30 37 35 35 38 3A 54 42 3D 32 3A 53 3D 64   5107558:TB=2:S=d
1b0 : 77 64 39 45 52 4A 2D 41 67 41 4A 33 2D 55 72 0D   wd9ERJ-AgAJ3-Ur.
1c0 : 0A 0D 0A                                          ...






More information about the Snort-sigs mailing list