WEB-IIS view source via translate header

[Elena Escolano Torner <eescolano () tissat es>]

Good morning everyone,
we are using snort Version 2.0.2 (Build 92).

We have defined this:
        var DMZ_GVA_HTTP_NO_TRANSLATE
        [a.a.a.85,b.b.b.68,c.c.c.3,d.d.d.227]
pass tcp $EXTERNAL_NET any -> $DMZ_GVA_HTTP_NO_TRANSLATE $HTTP_PORTS
(msg:"WEB-IIS view source via translate header"; flow:
to_server,established; content:  "Translate|3a| F"; nocase;
reference:bugtraq,1578; reference:arachnids,305;
classtype:web-application-activity; sid:1000017; rev:1;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS
view source via translate header"; flow: to_server,established;
content:  "Translate|3a| F"; nocase; reference:bugtraq,1578;
reference:arachnids,305; classtype:web-application-activity; sid:1042;
rev:6;)

We have defined the pass rule to avoid some alarms,  but unfortunately,
we are getting this alarms:
9.84   108   WEB-IIS view source via translate header   {TCP}
                 28    80.58.44.42     -> b.b.b.68

We have also changed the order in which the rules are processed:
/usr/sbin/snort -D -i eth1 -m 027 -l /var/log/snort -b -u snort -g snort
-o -c /etc/snort/snort.conf

Does anyone know what can it be happened?

Please answer to:
security () infocentre gva es

Attachment: eescolano.vcf
Description: Card for Elena Escolano Torner