[Snort-users] WEB-MISC false positives
Jason.Haar at ...294...
Sun Oct 7 14:14:04 EDT 2001
We've got a Web app here that ends up receiving large binaries via POST.
Statisically that means Snort's going to go off a LOT of the time, as
basically every character combination will go through a some point in time :-(
I'm getting a lot of false hits on "WEB-MISC /...." and can see a problem in
the web-misc.rules set in general.
There are too many rules that use "content" instead of "uricontent". This
means that for the "WEB-MISC /...." rule I get heaps of hits from the
"middle" of a POST - within the content being sent to the server. Any rule
that is looking for some filename or escape sequence should *always* use
uricontent - anything is valid once the Content-Length: header flows by...
Am I right about this? If so, could someone replace those "content" rules
Also, should the owners of each of these modules be placed in the *.rules
files, so we can harrass them directly instead of going through the group :-)
Information Security Manager
Trimble Navigation Ltd.
Phone: +64 3 9635 377 Fax: +64 3 9635 417
More information about the Snort-users