[Snort-sigs] False Positive

nnposter at ...592... nnposter at ...592...
Tue Jan 18 13:40:22 EST 2005


fmonkey at ...2963... wrote:
> Rule:  WEB-IIS %2E-asp access
> --
> Sid: 972
> --
> Summary:  Google toolbar encodes period when checking on updates to web
> pages.
> --
> Impact: N/A
> 
> --
> Detailed Information:  It appears the Google toolbar checks for the
> "freshness" of a page, and encodes the URL of the page as part of the
> request to the Google server.  This triggers the alert, but there is no
> attack.

This is a known issue with this rule. You can try this fix, which I have 
proposed a while ago:

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS 
(msg:"WEB-IIS %2E-asp access"; flow:to_server,established; 
uricontent:".asp"; nocase; content:"%2Easp"; nocase; 
pcre:"/^\s*[A-Z]+[ \t]+[^\s\?]*(?i)%2Easp\b/m"; 
reference:bugtraq,1814; reference:cve,CAN-1999-0253; 
classtype:web-application-activity; sid:makeyourown; rev:makeyourown;)

Cheers,
nnposter




More information about the Snort-sigs mailing list