[Snort-users] False Alerts 1882 id check returned userid

Lance Worthington lworthington at ...7948...
Thu May 22 09:55:11 EDT 2003


Here is the changes snort made to the following rule.

old: alert tcp $HTTP_SERVERS $HTTP_PORTS -> $EXTERNAL_NET any
(msg:"ATTACK-RESPONSES id check returned www"; flow:from_server,established;
content:"uid="; content:"(www)"; classtype:bad-unknown; sid:1882; rev:3;)

new: alert ip $HOME_NET any -> $EXTERNAL_NET any (msg:"ATTACK-RESPONSES id
check returned userid"; content:"uid=";
byte_test:5,<,65537,0,relative,string; classtype:bad-unknown; sid:1882;
rev:4;)

This alerts was modified on 5/16. I have been getting false positives from
tons of legit http traffic with 'uid=' in it. It seems many websites logins
have syntax in the URL that triggers this alert. Has anyone else been having
the same problem? Would it be too dangerous to write a pass rule for traffic
destinated for port 80? Only about 30 alerts out of 500 are not dst for port
80.

Thanks,
Lance





More information about the Snort-users mailing list