Snort mailing list archives
SID 1042 and WebDAV
From: "Scott, Joshua" <Joshua.Scott () jacobs com>
Date: Tue, 15 Apr 2003 15:14:48 -0400
I'm getting bombarded by alerts from SID 1042 - "WEB-IIS view source via translate header". According to the info on Arachnids, false positives may be generated due to WebDAV requests. There seem to be a lot of instances of legitimate WebDAV requests (or so I think). I've found that Outlook Express communication with Hotmail, Outlook Web Access(OWA) client communication, and even OWA communication between servers uses WebDAV. We're a very large Exchange shop (hundreds of servers across the globe) so creating a pass rule or BPF filter at each sensor would be an administrative nightmare. I'd like to look into any possible alternatives before disabling the sig. Can anyone offer any insight? Am I correct that Exchange/OWA/Outlook Express uses WebDAV? How do other Exchange shops running Snort handle this sig? Do most people leave this sig enabled? Thank you, Joshua Scott Security Architect, CISSP ============================================================================== NOTICE - This communication may contain confidential and privileged information that is for the sole use of the intended recipient. Any viewing, copying or distribution of, or reliance on this message by unintended recipients is strictly prohibited. If you have received this message in error, please notify us immediately by replying to the message and deleting it from your computer. ==============================================================================
Current thread:
- SID 1042 and WebDAV Scott, Joshua (Apr 15)