[Snort-sigs] Excessive alerts on SID 17407 -- Windows help file download

Bachelor, Stephen A CTR USSOCOM HQ Stephen.Bachelor.ctr at ...3354...
Fri Jan 27 13:58:32 EST 2012


This often triggers on content which is not a help file, such as "GET
/iu/api/res/1.2/Ip7475OzCLIWah.hLpjbYw--/YXBwaWQ9eXZpZ"

Is there any reason I shouldn't add, after the content rule,
pcre:"/\.hlp[^a-zA-Z0-9]/smi";
	

Original rule text below: 

	Rule    alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS
(msg:"WEB-CLIENT Windows help file download request";
flow:to_server,established; content:".hlp"; nocase; http_uri;
metadata:policy balanced-ips drop, policy security-ips drop, service
http; reference:cve,2006-3357; reference:cve,2006-4138;
classtype:attempted-user; sid:17407; rev:4; )


	





More information about the Snort-sigs mailing list