[Snort-sigs] False positive for sid 1478

Brock, Anthony - NET Anthony.Brock at ...3227...
Fri May 26 05:04:42 EDT 2006

# This is a template for submitting snort signature descriptions to
# the snort.org website
# Ensure that your descriptions are your own
# and not the work of others.  References in the rules themselves
# should be used for linking to other's work. 
# If you are unsure of some part of a rule, use that as a commentary
# and someone else perhaps will be able to fix it.
# $Id$

Rule:  WEB-CGI swc access

Sid: 1478

False Positives: This rule will match on any web access that includes
the '/swc' string. So, a URL that contains
'http://<server>/~waggones/swcity/f/art2.jpg' incorrectly matches.

Corrective Action: Modify the uricontent to match on a script. Either
look for '/swc?' or possibly look for 'ctr' in the POST variables.

More information about the Snort-sigs mailing list