[Snort-users] WEB-MISC false positives
bmc at ...950...
Sun Oct 7 14:44:02 EDT 2001
According to Jason Haar:
> There are too many rules that use "content" instead of "uricontent". This
> means that for the "WEB-MISC /...." rule I get heaps of hits from the
> "middle" of a POST - within the content being sent to the server. Any rule
> that is looking for some filename or escape sequence should *always* use
> uricontent - anything is valid once the Content-Length: header flows by...
POST include variables. Its usually a good idea to check the
variables for possbile exploitation.
> Am I right about this? If so, could someone replace those "content" rules
> with uricontent?
I reaudited them at your request and updated those that it is sane to
do so. No, /.... is not one of them.
> Also, should the owners of each of these modules be placed in the *.rules
> files, so we can harrass them directly instead of going through the group :-)
Yeah. Me. :)
There is a mailing list to discuss rule changes. snort-sigs.
Subscribe to it and bitch about rules there.
Kiss your keyboard goodbye!
More information about the Snort-users