[Snort-sigs] 17494 Falsing on non IE6 systems

Weir, Jason jason.weir at ...3410...
Mon Nov 1 10:37:10 EDT 2010

Looks like this rule was updated to rev:3 over the weekend and it's
still falsing on non IE6 systems...

How come no content match on the IE version??

My last 2 hits were on googleadservices.com and googleusercontent.com

Back to being disabled I guess..


>On Oct 27, 2010, at 13:01 PM, Joel Esler wrote:
>Current revision on this rule is rev:3.  It looks nothing like the
>Thanks for the feedback Jason.
>On Oct 27, 2010, at 8:51 AM, L0rd Ch0de1m0rt wrote:
>> Yea, this is a terribly written rule, especially with Web 2.0
>> technologies and advertising companies preferring to create ginormous
>> URIs.  It's not browser specific ... all modern browsers support
>> URIs>206 bytes and the RFC doesn't specify a limit....
>> Are you running the latest version of this rule?  I could be thinking
>> of a different rule but I thought that when this one came out it
>> everyone started complaining about it and they disabled it.  I
>> recommend all who are running it to disable it.
>> -L0rd C.
>> On Wed, Oct 27, 2010 at 7:37 AM, Weir, Jason <jason.weir at ...3410...>
>>> Tons of false positives on machines running IE7 & 8...
>>> Maybe do a content match on the IE6 user agent - something like
>>> content:"compatible; MSIE 6."
>>> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS
>>> Microsoft Internet Explorer Long URL Buffer Overflow attempt";
>>> flow:established,to_server; urilen:>260; content:"GET"; http_method;
>>> content:"HTTP|2F|1|2E|1|0D 0A|"; metadata:service http;
>>> reference:bugtraq,19667; reference:cve,2006-3869;
>>> classtype:attempted-user; sid:17494; rev:1;)
>>> Jason


Please visit www.nhrs.org to subscribe to NHRS email announcements and updates.

More information about the Snort-sigs mailing list