[Snort-sigs] False positive Id=1:1113

Loriente Ara, Luis Antonio loriente at ...3109...
Thu Jul 14 07:08:05 EDT 2005


# This is a template for submitting snort signature descriptions to
# the snort.org website
#
# Ensure that your descriptions are your own
# and not the work of others.  References in the rules themselves
# should be used for linking to other's work. 
#
# If you are unsure of some part of a rule, use that as a commentary
# and someone else perhaps will be able to fix it.
# 
# $Id$
#
# 

Rule:  
Actual rule that generate the False Positive.

web-misc.rules:alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS
(msg:"WEB-MISC http directory traversal"; flow:to_server,established;
content:"../"; reference:arachnids,297; classtype:attempted-recon;
sid:1113; rev:5;)

--
Sid:
1:1113
--
Summary:
It seems a positive is generated also when ../ is in referer part of
packet.
--
Impact:
low
--
Detailed Information:

--
Affected Systems:

--
Attack Scenarios:

--
Ease of Attack:

--
False Positives:
Data part of packet that originated false positive.

GET /ibercaja/imagenes/novedad3.jpg HTTP/1.1..Host:
www1.ibercajadirecto.com..User-Agent: Mozilla/5.0 (Windows;U; Win98;
es-ES; rv:1.0.1) Gecko/20020823
etscape/7.0..Accept:text/xml,application/xml,application/xhtml+xml,text/
html;q=0.9,text/plain;q=0.8,video/x-mng,image/png,image/jpeg,image/gif;q
=0.2,text/css,*/*;q=0.1..Accept-Language: es-es,
es;q=0.50..Accept-Encoding: gzip, deflate,
compress;q=0.9..Accept-Charset: ISO-8859-1, utf-8;q=0.66,
*;q=.66..Keep-Alive: 300..Connection: keep-alive..Referer:
http://www../..Cookie: AIOCADCT=HPDZWAOBJLOEAD....

--
False Negatives:

--
Corrective Action:

--
Contributors:

-- 
Additional References:


Regards.

-----------------------------------
Luis Loriente Ara
loriente at ...3109...
------------------------------------





More information about the Snort-sigs mailing list