[Snort-sigs] false positive for DOUBLE DECODING ATTACK

Wolfgang Rohdewald wolfgang at ...3169...
Mon Oct 17 05:21:07 EDT 2005


Rule:
(http_inspect) DOUBLE DECODING ATTACK
--
Sid:
n/a
--
Summary:
I get this when I first access www.sixt.de and then click on
"PREISE & RESERVIERUNG" but only if I use konqueror 3.4.2.
The same works flawlessly with firefox 1.0.7
--
Impact:
Snort says my system is attacking www.sixt.de which is not true.
--
Detailed Information:
I have ethereal traces for both konqueror and firefox but I cannot see any relevant difference. I can mail them but I hope you can reproduce this yourself.
--
Affected Systems:

--
Attack Scenarios:

--
Ease of Attack:

--
False Positives:

--
False Negatives:

--
Corrective Action:

--
Contributors:
Wolfgang Rohdewald <wolfgang at ...3169...>
--
Additional References:

-- 

mit freundlichen Grüssen

with my best greetings

Wolfgang Rohdewald

dipl. Informatik Ing. ETH Rohdewald Systemberatung
Karauschenstieg 4
D 21640 Horneburg
Tel.:     04163 826 819
Fax:      04163 826 828
Internet: http://www.rohdewald.de




More information about the Snort-sigs mailing list