[Snort-sigs] Another false positive - sid:2435

Scott Dexter scott.dexter at ...2420...
Fri Mar 18 14:50:39 EST 2005


With a space you always run the chance of a false negative too, You're
kind of rehashing the same point here. Sounds more like you need some
rules tuning here.

Scott


On Fri, 18 Mar 2005 16:45:37 -0600, Paul Schmehl <pauls at ...1311...> wrote:
> /usr/local/share/snort/web-client.rules:alert tcp $HOME_NET any ->
> $EXTERNAL_NET $HTTP_PORTS (msg:"WEB-CLIENT Microsoft emf metafile access";
> flow:from_client,established; uricontent:".emf"; reference:bugtraq,10120;
> reference:bugtraq,9707; reference:cve,2003-0906; classtype:attempted-user;
> sid:2435; rev:4;)
> 
> Payload:
> 
> length = 326
> 
> 000 : 47 45 54 20 2F 69 2E 70 2E 65 6D 66 65 6D 61 6C   GET /i.p.emfemal
> 010 : 65 2E 67 69 66 20 48 54 54 50 2F 31 2E 31 0D 0A   e.gif HTTP/1.1..
> 020 : 41 63 63 65 70 74 3A 20 2A 2F 2A 0D 0A 52 65 66   Accept: */*..Ref
> 030 : 65 72 65 72 3A 20 68 74 74 70 3A 2F 2F 62 79 31   erer: http://by1
> 040 : 30 31 66 64 2E 62 61 79 31 30 31 2E 68 6F 74 6D   01fd.bay101.hotm
> 050 : 61 69 6C 2E 6D 73 6E 2E 63 6F 6D 2F 63 67 69 2D   ail.msn.com/cgi-
> 060 : 62 69 6E 2F 64 61 73 70 2F 45 4E 2F 72 74 65 5F   bin/dasp/EN/rte_
> 070 : 5F 5F 31 30 30 30 30 30 30 33 2E 61 73 70 0D 0A   __10000003.asp..
> 080 : 41 63 63 65 70 74 2D 4C 61 6E 67 75 61 67 65 3A   Accept-Language:
> 090 : 20 65 6E 2D 75 73 0D 0A 41 63 63 65 70 74 2D 45    en-us..Accept-E
> 0a0 : 6E 63 6F 64 69 6E 67 3A 20 67 7A 69 70 2C 20 64   ncoding: gzip, d
> 0b0 : 65 66 6C 61 74 65 0D 0A 55 73 65 72 2D 41 67 65   eflate..User-Age
> 0c0 : 6E 74 3A 20 4D 6F 7A 69 6C 6C 61 2F 34 2E 30 20   nt: Mozilla/4.0
> 0d0 : 28 63 6F 6D 70 61 74 69 62 6C 65 3B 20 4D 53 49   (compatible; MSI
> 0e0 : 45 20 36 2E 30 3B 20 57 69 6E 64 6F 77 73 20 4E   E 6.0; Windows N
> 0f0 : 54 20 35 2E 31 3B 20 53 56 31 3B 20 2E 4E 45 54   T 5.1; SV1; .NET
> 100 : 20 43 4C 52 20 31 2E 31 2E 34 33 32 32 29 0D 0A    CLR 1.1.4322)..
> 110 : 48 6F 73 74 3A 20 67 72 61 70 68 69 63 73 2E 68   Host: graphics.h
> 120 : 6F 74 6D 61 69 6C 2E 63 6F 6D 0D 0A 43 6F 6E 6E   otmail.com..Conn
> 130 : 65 63 74 69 6F 6E 3A 20 4B 65 65 70 2D 41 6C 69   ection: Keep-Ali
> 140 : 76 65 0D 0A 0D 0A                                 ve....
> 
> Maybe content:".emf%20";?
> 
> Paul Schmehl (pauls at ...1311...)
> Adjunct Information Security Officer
> The University of Texas at Dallas
> AVIEN Founding Member
> http://www.utdallas.edu
> 
> -------------------------------------------------------
> SF email is sponsored by - The IT Product Guide
> Read honest & candid reviews on hundreds of IT Products from real users.
> Discover which products truly live up to the hype. Start reading now.
> http://ads.osdn.com/?ad_id=6595&alloc_id=14396&op=click
> _______________________________________________
> Snort-sigs mailing list
> Snort-sigs at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/snort-sigs
> 


-- 
Scott Dexter
"Heroism on command, senseless violence, and all the loathsome
nonsense that goes by the name of patriotism -- how passionately I
hate them!"
"Peace cannot be kept by force. It can only be achieved by understanding."
   -Albert Einstein




More information about the Snort-sigs mailing list