[Snort-sigs] 17494 Falsing on non IE6 systems

Weir, Jason jason.weir at ...3410...
Mon Nov 1 10:37:10 EDT 2010


Looks like this rule was updated to rev:3 over the weekend and it's
still falsing on non IE6 systems...

How come no content match on the IE version??

My last 2 hits were on googleadservices.com and googleusercontent.com

Back to being disabled I guess..

-Jason

>On Oct 27, 2010, at 13:01 PM, Joel Esler wrote:
>
>Current revision on this rule is rev:3.  It looks nothing like the
below.
>
>Thanks for the feedback Jason.
>
>Joel
>
>On Oct 27, 2010, at 8:51 AM, L0rd Ch0de1m0rt wrote:
>
>> Yea, this is a terribly written rule, especially with Web 2.0
>> technologies and advertising companies preferring to create ginormous
>> URIs.  It's not browser specific ... all modern browsers support
>> URIs>206 bytes and the RFC doesn't specify a limit....
>> 
>> Are you running the latest version of this rule?  I could be thinking
>> of a different rule but I thought that when this one came out it
>> everyone started complaining about it and they disabled it.  I
>> recommend all who are running it to disable it.
>> 
>> -L0rd C.
>> 
>> On Wed, Oct 27, 2010 at 7:37 AM, Weir, Jason <jason.weir at ...3410...>
wrote:
>>> Tons of false positives on machines running IE7 & 8...
>>> 
>>> Maybe do a content match on the IE6 user agent - something like
>>> content:"compatible; MSIE 6."
>>> 
>>> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS
(msg:"WEB-CLIENT
>>> Microsoft Internet Explorer Long URL Buffer Overflow attempt";
>>> flow:established,to_server; urilen:>260; content:"GET"; http_method;
>>> content:"HTTP|2F|1|2E|1|0D 0A|"; metadata:service http;
>>> reference:bugtraq,19667; reference:cve,2006-3869;
>>> classtype:attempted-user; sid:17494; rev:1;)
>>> 
>>> Jason


_____________________________________________________________________________________________

Please visit www.nhrs.org to subscribe to NHRS email announcements and updates.


More information about the Snort-sigs mailing list