[Snort-users] WEB-MISC long basic authorization string

Semerjian, Ohanes Semerjian.Ohanes at ...4899...
Mon Apr 7 20:11:29 EDT 2003

Dear all,

I'm getting the  " WEB-MISC long basic authorization string " from source
IPs which are part of our internal network to one host. This host is an
internal web server whom our MIS changed the IP address just before these
alerts start flow. Now I've checked the signature definition which shows
that it takes consideration of the payload. What I would like to know that
if there is other legitimate traffic could fire up this signature..?coz I
don't think a big number of machines on the network are trying to attack
this one host..?

Would appreciate your thoughts

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 80 (msg:"WEB-MISC long basic
authorization string"; flags:A+; content:"Authorization\: 
Basic "; nocase; dsize:>1000; classtype:attempted-dos;
reference:bugtraq,3230; sid:1260; rev:2;)

Best Regards

Ohanes Semerjian

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20030407/9c17aa51/attachment.html>

More information about the Snort-users mailing list