Snort mailing list archives
Re: 17494 Falsing on non IE6 systems
From: Joel Esler <jesler () sourcefire com>
Date: Wed, 27 Oct 2010 10:11:35 -0400
That's an idea, I'll look into it. Thanks. Joel On Oct 27, 2010, at 9:07 AM, Weir, Jason wrote:
Thanks Joel, Any chance the revision # could be included on the SID page http://www.snort.org/search/sid/1-17494 That way I could check before posting to the list.. -J-----Original Message----- From: Joel Esler [mailto:jesler () sourcefire com] Sent: Wednesday, October 27, 2010 9:02 AM To: L0rd Ch0de1m0rt Cc: Weir, Jason; snort-sigs () lists sourceforge net Subject: Re: [Snort-sigs] 17494 Falsing on non IE6 systems Current revision on this rule is rev:3. It looks nothing like the below. Thanks for the feedback Jason. Joel On Oct 27, 2010, at 8:51 AM, L0rd Ch0de1m0rt wrote:Yea, this is a terribly written rule, especially with Web 2.0 technologies and advertising companies preferring to createginormousURIs. It's not browser specific ... all modern browsers support URIs>206 bytes and the RFC doesn't specify a limit.... Are you running the latest version of this rule? I couldbe thinkingof a different rule but I thought that when this one came out it everyone started complaining about it and they disabled it. I recommend all who are running it to disable it. -L0rd C. On Wed, Oct 27, 2010 at 7:37 AM, Weir, Jason <jason.weir () nhrs org> wrote:Tons of false positives on machines running IE7 & 8... Maybe do a content match on the IE6 user agent - something like content:"compatible; MSIE 6." alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS(msg:"WEB-CLIENTMicrosoft Internet Explorer Long URL Buffer Overflow attempt"; flow:established,to_server; urilen:>260; content:"GET";http_method;content:"HTTP|2F|1|2E|1|0D 0A|"; metadata:service http; reference:bugtraq,19667; reference:cve,2006-3869; classtype:attempted-user; sid:17494; rev:1;) Jason_____________________________________________________________________________________________ Please visit www.nhrs.org to subscribe to NHRS email announcements and updates. ------------------------------------------------------------------------------ Nokia and AT&T present the 2010 Calling All Innovators-North America contest Create new apps & games for the Nokia N8 for consumers in U.S. and Canada $10 million total in prizes - $4M cash, 500 devices, nearly $6M in marketing Develop with Nokia Qt SDK, Web Runtime, or Java and Publish to Ovi Store http://p.sf.net/sfu/nokia-dev2dev _______________________________________________ Snort-sigs mailing list Snort-sigs () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-sigs
-- Joel Esler 302-223-5974 ------------------------------------------------------------------------------ Nokia and AT&T present the 2010 Calling All Innovators-North America contest Create new apps & games for the Nokia N8 for consumers in U.S. and Canada $10 million total in prizes - $4M cash, 500 devices, nearly $6M in marketing Develop with Nokia Qt SDK, Web Runtime, or Java and Publish to Ovi Store http://p.sf.net/sfu/nokia-dev2dev _______________________________________________ Snort-sigs mailing list Snort-sigs () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-sigs
Current thread:
- 17494 Falsing on non IE6 systems Weir, Jason (Oct 27)
- Re: 17494 Falsing on non IE6 systems L0rd Ch0de1m0rt (Oct 27)
- Re: 17494 Falsing on non IE6 systems Joel Esler (Oct 27)
- Re: 17494 Falsing on non IE6 systems Weir, Jason (Oct 27)
- Re: 17494 Falsing on non IE6 systems Joel Esler (Oct 27)
- Re: 17494 Falsing on non IE6 systems Lay, James (Oct 27)
- Re: 17494 Falsing on non IE6 systems Weir, Jason (Oct 27)
- Re: 17494 Falsing on non IE6 systems JJC (Oct 27)
- Re: 17494 Falsing on non IE6 systems Weir, Jason (Oct 27)
- Re: 17494 Falsing on non IE6 systems Joel Esler (Oct 27)
- Re: 17494 Falsing on non IE6 systems L0rd Ch0de1m0rt (Oct 27)
- <Possible follow-ups>
- Re: 17494 Falsing on non IE6 systems Weir, Jason (Nov 01)