[Snort-users] False Alerts 1882 id check returned userid
Stephen W. Thomas
swthomas at ...9227...
Fri May 23 13:59:02 EDT 2003
I'm getting the same thing. Since our network hosts web sites, I may see if I can tweak this rule or maybe even disable it. The rule seems to be Unix specific so maybe since we are running all Windows systems it can be disabled.
From: Lance Worthington [mailto:lworthington at ...7948...]
Sent: Thu 5/22/2003 9:52 AM
To: snort-users at lists.sourceforge.net
Subject: [Snort-users] False Alerts 1882 id check returned userid
Here is the changes snort made to the following rule.
old: alert tcp $HTTP_SERVERS $HTTP_PORTS -> $EXTERNAL_NET any
(msg:"ATTACK-RESPONSES id check returned www"; flow:from_server,established;
content:"uid="; content:"(www)"; classtype:bad-unknown; sid:1882; rev:3;)
new: alert ip $HOME_NET any -> $EXTERNAL_NET any (msg:"ATTACK-RESPONSES id
check returned userid"; content:"uid=";
byte_test:5,<,65537,0,relative,string; classtype:bad-unknown; sid:1882;
This alerts was modified on 5/16. I have been getting false positives from
tons of legit http traffic with 'uid=' in it. It seems many websites logins
have syntax in the URL that triggers this alert. Has anyone else been having
the same problem? Would it be too dangerous to write a pass rule for traffic
destinated for port 80? Only about 30 alerts out of 500 are not dst for port
This SF.net email is sponsored by: ObjectStore.
If flattening out C++ or Java code to make your application fit in a
relational database is painful, don't do it! Check out ObjectStore.
Now part of Progress Software. http://www.objectstore.net/sourceforge
Snort-users mailing list
Snort-users at lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
Snort-users list archive:
More information about the Snort-users