Snort mailing list archives
RE: False Alerts 1882 id check returned userid
From: "Stephen W. Thomas" <swthomas () techsoft com>
Date: Fri, 23 May 2003 15:53:25 -0500
I'm getting the same thing. Since our network hosts web sites, I may see if I can tweak this rule or maybe even disable it. The rule seems to be Unix specific so maybe since we are running all Windows systems it can be disabled. Steve -----Original Message----- From: Lance Worthington [mailto:lworthington () calltech com] Sent: Thu 5/22/2003 9:52 AM To: snort-users () lists sourceforge net Cc: Subject: [Snort-users] False Alerts 1882 id check returned userid Here is the changes snort made to the following rule. old: alert tcp $HTTP_SERVERS $HTTP_PORTS -> $EXTERNAL_NET any (msg:"ATTACK-RESPONSES id check returned www"; flow:from_server,established; content:"uid="; content:"(www)"; classtype:bad-unknown; sid:1882; rev:3;) new: alert ip $HOME_NET any -> $EXTERNAL_NET any (msg:"ATTACK-RESPONSES id check returned userid"; content:"uid="; byte_test:5,<,65537,0,relative,string; classtype:bad-unknown; sid:1882; rev:4;) This alerts was modified on 5/16. I have been getting false positives from tons of legit http traffic with 'uid=' in it. It seems many websites logins have syntax in the URL that triggers this alert. Has anyone else been having the same problem? Would it be too dangerous to write a pass rule for traffic destinated for port 80? Only about 30 alerts out of 500 are not dst for port 80. Thanks, Lance ------------------------------------------------------- This SF.net email is sponsored by: ObjectStore. If flattening out C++ or Java code to make your application fit in a relational database is painful, don't do it! Check out ObjectStore. Now part of Progress Software. http://www.objectstore.net/sourceforge _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users ------------------------------------------------------- This SF.net email is sponsored by: ObjectStore. If flattening out C++ or Java code to make your application fit in a relational database is painful, don't do it! Check out ObjectStore. Now part of Progress Software. http://www.objectstore.net/sourceforge _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- False Alerts 1882 id check returned userid Lance Worthington (May 22)
- <Possible follow-ups>
- RE: False Alerts 1882 id check returned userid Stephen W. Thomas (May 23)