[Snort-users] WEB-MISC false positives

Brian bmc at ...950...
Sun Oct 7 14:44:02 EDT 2001


According to Jason Haar:
> There are too many rules that use "content" instead of "uricontent". This
> means that for the "WEB-MISC /...." rule I get heaps of hits from the
> "middle" of a POST - within the content being sent to the server. Any rule
> that is looking for some filename or escape sequence should *always* use
> uricontent - anything is valid once the Content-Length: header flows by...

Uh... No.

POST include variables.  Its usually a good idea to check the
variables for possbile exploitation.

> Am I right about this? If so, could someone replace those "content" rules
> with uricontent?

I reaudited them at your request and updated those that it is sane to
do so.  No, /.... is not one of them.

> Also, should the owners of each of these modules be placed in the *.rules
> files, so we can harrass them directly instead of going through the group :-)

Yeah.  Me.  :)

There is a mailing list to discuss rule changes.  snort-sigs.

Subscribe to it and bitch about rules there. 

-- 
Kiss your keyboard goodbye!




More information about the Snort-users mailing list