[Snort-users] WEB-MISC long basic authorization string
Semerjian.Ohanes at ...4899...
Tue Apr 8 18:02:07 EDT 2003
Thanks for ur reply, but I guess disabling the signature is not my goal...?
I want to know if there is a legitimate traffic that could fire up this
Security Engineer, AsiaPac
International Security Group (Central Services)
Ph:(02) 9434 5636
Mob: 0410 657 249
75DF 2980 5663 2DC1 12CD E43E 94D6 7A9A 222D 3449
From: Matt Yackley [mailto:Matt.Yackley at ...5858...]
Sent: Tuesday, 8 April 2003 11:38 PM
To: Semerjian, Ohanes; 'snort-users at lists.sourceforge.net'
Subject: RE: [Snort-users] WEB-MISC long basic authorization string
I had this issue with Outlook Web Access traffic, I have disabled the rule
for now, at some point though I guess I should just create a pass rule for
the afftected box...
From: Semerjian, Ohanes [mailto:Semerjian.Ohanes at ...4899...]
Sent: Monday, April 07, 2003 9:45 PM
To: 'snort-users at lists.sourceforge.net'
Subject: [Snort-users] WEB-MISC long basic authorization string
I'm getting the " WEB-MISC long basic authorization string " from source
IPs which are part of our internal network to one host. This host is an
internal web server whom our MIS changed the IP address just before these
alerts start flow. Now I've checked the signature definition which shows
that it takes consideration of the payload. What I would like to know that
if there is other legitimate traffic could fire up this signature..?coz I
don't think a big number of machines on the network are trying to attack
this one host..?
Would appreciate your thoughts
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 80 (msg:"WEB-MISC long basic
authorization string"; flags:A+; content:"Authorization\:
Basic "; nocase; dsize:>1000; classtype:attempted-dos;
reference:bugtraq,3230; sid:1260; rev:2;)
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Snort-users