[Snort-users] WEB-MISC false positives

Jason Haar Jason.Haar at ...294...
Sun Oct 7 14:14:04 EDT 2001

We've got a Web app here that ends up receiving large binaries via POST.
Statisically that means Snort's going to go off a LOT of the time, as
basically every character combination will go through a some point in time :-(

I'm getting a lot of false hits on "WEB-MISC /...." and can see a problem in
the web-misc.rules set in general.

There are too many rules that use "content" instead of "uricontent". This
means that for the "WEB-MISC /...." rule I get heaps of hits from the
"middle" of a POST - within the content being sent to the server. Any rule
that is looking for some filename or escape sequence should *always* use
uricontent - anything is valid once the Content-Length: header flows by...

Am I right about this? If so, could someone replace those "content" rules
with uricontent?

Also, should the owners of each of these modules be placed in the *.rules
files, so we can harrass them directly instead of going through the group :-)


Jason Haar

Information Security Manager
Trimble Navigation Ltd.
Phone: +64 3 9635 377 Fax: +64 3 9635 417

More information about the Snort-users mailing list