[Snort-sigs] Rule triggers on every request

Michael Kjeldsen valvet at ...2420...
Thu Jan 14 17:01:18 EST 2016


Hi guys  

First time Snort user, not doing too well. I’m using the community rules (all of them), but this one rule is causing a lot of trouble (false positives):

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP info2www access"; flow:to_server,established; content:"/info2www"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:bugtraq,1995; reference:cve,1999-0266; reference:nessus,10127; classtype:attempted-recon; sid:827; rev:21;)

I’ve isolated it by removing all other rules and placing this one in local.rules

After a complete Nikto scan against the host, I have 2000+ alerts.

Screenshot of content that’s being matched: http://imgur.com/sLlQlEC

Example data from apache's access log:

178.155.227.210 - - [14/Jan/2016:22:30:12 +0000] "GET /phorum/admin/stats.php HTTP/1.1" 404 400 "-" "Mozilla/5.00 (Nikto/2.1.5) (Evasions:None) (Test:001142)”

Example data (also a match) from u2spewfoo:

Packet
sensor id: 0 event id: 1 event second: 1452810610
packet second: 1452810612 packet microsecond: 869402
linktype: 1 packet_length: 219
[    0] 00 16 3E 6C AE FE 88 A2 5E 97 7E 9B 08 00 45 00  ..>l....^.~...E.
[   16] 00 CD 37 D3 40 00 32 06 71 38 B2 9B E3 D2 B9 1F  ..7. at ...4128...
[   32] 4F 92 C3 64 00 50 1D 86 EF E7 23 A2 F7 12 80 18  O..d.P....#.....
[   48] 10 00 82 DB 00 00 01 01 08 0A 06 92 90 2B 15 D2  .............+..
[   64] 93 7A 47 45 54 20 2F 70 68 6F 72 75 6D 2F 61 64  .zGET /phorum/ad
[   80] 6D 69 6E 2F 73 74 61 74 73 2E 70 68 70 20 48 54  min/stats.php HT
[   96] 54 50 2F 31 2E 31 0D 0A 43 6F 6E 6E 65 63 74 69  TP/1.1..Connecti
[  112] 6F 6E 3A 20 4B 65 65 70 2D 41 6C 69 76 65 0D 0A  on: Keep-Alive..
[  128] 55 73 65 72 2D 41 67 65 6E 74 3A 20 4D 6F 7A 69  User-Agent: Mozi
[  144] 6C 6C 61 2F 35 2E 30 30 20 28 4E 69 6B 74 6F 2F  lla/5.00 (Nikto/
[  160] 32 2E 31 2E 35 29 20 28 45 76 61 73 69 6F 6E 73  2.1.5) (Evasions
[  176] 3A 4E 6F 6E 65 29 20 28 54 65 73 74 3A 30 30 31  :None) (Test:001
[  192] 31 34 32 29 0D 0A 48 6F 73 74 3A 20 74 68 65 66  142)..Host: thef
[  208] 6F 72 63 65 2E 64 6B 0D 0A 0D 0A                 orce.dk….


My configuration: http://pastebin.com/zsXWqgJ9  

Thanks

--  
Michael Kjeldsen
Sent with Sparrow (http://www.sparrowmailapp.com/?sig)

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-sigs/attachments/20160114/093ce0dc/attachment.html>


More information about the Snort-sigs mailing list