lists at ...3397...
Tue Mar 13 12:20:08 EDT 2012
On 03/13/12 11:03, Joel Esler wrote:
> Well, we have a rule that fires on that initially..
> But it's set to noalert as we think it'll be FP prone.
Ouch I completely missed that one, it's new and wasn't in my tarball.
Yes, it will false-positive I had tried something similar and the URI
structures in a few sites, especially video sites, cause it to false.
It is worth setting a flowbit though.
I'm open to your opinion, I do think there to be value in detection of a
terse/basic 'document.location' redirect. Perhaps something like with
the direction $EXTERNAL_NET -> $HOME_NET:
file_data; content:"document.location="; depth:18; content:".php?";
along with the PCRE in 21347 without the /U flag -- this will catch more
than just the "showthread.php" variant.
I assume file_data with depth:18 will match on equiv of content:"|0d 0a
0d 0a|document.location="; with no normalized buffer. I appreciate any
corrections here if I'm wrong.
PS -- The PCRE in 21347 needs an escape on the period in ".php"... well
I guess it doesn't matter because of the content match, but I think you
intend one to be there.
More information about the Snort-sigs