[Snort-sigs] False positive in GEN:SID 1:3634

Brian Epstein snort at ...3290...
Fri Feb 23 11:43:58 EST 2007


First time posting about a false positive, so please forgive me if I'm
doing it incorrectly.

Rule:  WEB-CLIENT Mozilla bitmap width integer overflow multipacket
attempt

--
Sid: 3634

--
False Positives: This rule reports on contents containing "BM" which
matches on both "BMP" and on "IBM HTTP Server."  I am getting false
positives when a packet includes "IBM HTTP Server" and the other parts
of the rule.  Here is the rule I am using:

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT
Mozilla bitmap width integer overflow multipacket attempt";
flow:to_client,established; flowbits:isset,http.bmp; content:"BM";
byte_test:4,>,83386080,16,relative,little; reference:bugtraq,11171;
reference:cve,2004-0904;
reference:url,bugzilla.mozilla.org/show_bug.cgi?id=255067;
classtype:attempted-admin; sid:3634; rev:2;)

Would it be beneficial to change the content:"BM" to content:"BMP" in
the rule?

Thanks,
Brian

-- 
Brian Epstein <snort at ...3290...>
Key fingerprint = F9C8 A715 933E 6A64 C220  482B 02CF B6C8 DB7F 41B4




More information about the Snort-sigs mailing list