owssvr.dll and false positives on sid:1288

[Michael Scheidell <scheidell () secnap net>]

False alarms with sid:1288

error.log:[Mon Nov 11 11:57:12 2002] [error] [client 207.103.163.19] File
does not exist: /www/SECNAP/htdocs/_vti_bin/owssvr.dll

I looks like a normal client access to a web page, if client has microsoft
office /and or .net installed.

see: 
http://lists.jammed.com/incidents/2001/10/0124.html

Seems their web browser wants to make sure there isn't a 'discussion' page
or forum for that original request.

would this fix that script?

note the ! "/vti_bin/owssrv.dll" in the urlcontent keyword.

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS \
(msg:"WEB-FRONTPAGE /_vti_bin/ access";flow:to_server,established; \
uricontent:"/_vti_bin/"; uricontent: ! "/vti_bin/owssrv.dll"; nocase; \
classtype:web-application-activity; sid:1288;  rev:5;)

-- 
Michael Scheidell
SECNAP Network Security, LLC 
Sales: 866-SECNAPNET / (1-866-732-6276)
Main: 561-368-9561 / www.secnap.net
Looking for a career in Internet security?
http://www.secnap.net/employment/


-------------------------------------------------------
This sf.net email is sponsored by:ThinkGeek
Welcome to geek heaven.
http://thinkgeek.com/sf
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users