[Snort-sigs] False positive - sid:2303

SRH-Lists giermo at ...1992...
Fri Mar 18 13:12:16 EST 2005


> /usr/local/share/snort/web-php.rules:alert tcp $EXTERNAL_NET any -> 
> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP Advanced Poll 
> popup.php access"; 
> flow:to_server,established; uricontent:"/popup.php"; nocase; 
> reference:bugtraq,8890; reference:nessus,11487; 
> classtype:web-application-activity; sid:2303; rev:4;)
> 
> I have no idea what triggered this one either.  There's no 
> "popup" or "php" 
> in there, much less a "/popup.php" in the payload.  (This one only 
> triggered once.)

Is it possible that the offending content is in the stream and not in
the packet you are looking at?

Stream4 creates a "psuedo" packet that has all of the content from the
stream, which is then reinserted into the detection engine.

If you are getting these alot, try running tcpdump or ethereal or snort
in packet logging mode (or sguil with log_packets) and take a look at
the whole stream.  I bet the content is in there someplace.

-steve




More information about the Snort-sigs mailing list