SID 1042 and WebDAV

["Scott, Joshua" <Joshua.Scott () jacobs com>]

I'm getting bombarded by alerts from SID 1042 - "WEB-IIS view source via
translate header".  According to the info on Arachnids, false positives may
be generated due to WebDAV requests.  There seem to be a lot of instances of
legitimate WebDAV requests (or so I think).  I've found that Outlook Express
communication with Hotmail, Outlook Web Access(OWA) client communication,
and even OWA communication between servers uses WebDAV.  We're a very large
Exchange shop (hundreds of servers across the globe) so creating a pass rule
or BPF filter at each sensor would be an administrative nightmare.
 
I'd like to look into any possible alternatives before disabling the sig.
Can anyone offer any insight?  Am I correct that Exchange/OWA/Outlook
Express uses WebDAV?  How do other Exchange shops running Snort handle this
sig?  Do most people leave this sig enabled?
 
Thank you,

Joshua Scott 
Security Architect, CISSP

 

==============================================================================
NOTICE - This communication may contain confidential and privileged 
information that is for the sole use of the intended recipient. Any viewing,
copying or distribution of, or reliance on this message by unintended
recipients is strictly prohibited. If you have received this message in
error, please notify us immediately by replying to the message and deleting
it from your computer.

==============================================================================