Snort mailing list archives
Lots of FP's on sid:16214
From: Eoin Miller <eoin.miller () trojanedbinaries com>
Date: Sat, 14 May 2011 16:43:14 +0000
Rule: alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DOS Squid Proxy invalid HTTP response code denial of service attempt"; flow:to_client,established; content:"-100"; fast_pattern:only; content:"HTTP"; offset:0; nocase; pcre:"/^HTTP[^\n]+\x2D100/i"; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:bugtraq,35812; reference:cve,2009-2622; classtype:denial-of-service; sid:16214; rev:3;) This one fires off way too many times when webservers just return URI's in the HTML body that have these patterns in the query string. Shouldn't this be taking advantage of the http_inspect preprocessor and narrowing this search to the http_header instead of every frame coming back from the net? It think that small change would fix it. ASCII packet that fires it: http://secure-us .imrworldwide.co m/cgi-bin/m?cc=1 &ci=us-10042 9&c6=vc,c05& amp;tl=dav0-${vi deo.id}%20/%20${ video.headline}& amp;cg=${video.f ranchise}&rn d=${random}"/>. </video_repla y>. <video_co mplete>. <param name="pin g" value="http:/ /secure-us.imrwo rldwide.com/cgi- bin/m?cc=1&c i=us-100429& c6=vc,c05&tl =dav2-${video.id }%20/%20${video. headline}&cg =${video.franchi se}&rnd=${ra ndom}"/>. </v ideo_complete>.< /pings>..<!--.. 3. CONFIGURAB LE FUNCTIONALITY : PLAYER INSTANC ES. --------- ---------------- ---------------- ---------------- --------------. This is where we configure ea ch player instan ce with override parameters for each.. Ideall y the player to use is just a Fl ashparam in the embed code...--> ..<!-- FREEWHEEL TEST ADS PLAYER INSTANCES -->. <!-- FREEWHEEL " Main" Player Ins tance -->.<playe r name="fw_maing tv">. <pa ram name="low_bi trate" value="30 0" />. <p aram name="high_ bitrate" value=" 300" />. <param name="aut ostart" value="o n" />. <p aram name="width " value="696" /> . <param name="height" va lue="388" />. <param na me="aspect_adjus t" value="auto" />.. <ad_s erver type="FREE WHEEL">. <param name= "ad_api" value=" http://i.cdn.tur ner.com/xslo/cvp /ads/freewheel/b undles/1/AdManag er.swf"/>. <param nam e="ad_server_roo t_url" value="ht tp://BEA4.v.fwmr m.net"/>. <param name ="ad_section" va lue="" />. <param nam e="a -- Eoin ------------------------------------------------------------------------------ Achieve unprecedented app performance and reliability What every C/C++ and Fortran developer should know. Learn how Intel has extended the reach of its next-generation tools to help boost performance applications - inlcuding clusters. http://p.sf.net/sfu/intel-dev2devmay _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Lots of FP's on sid:16214 Eoin Miller (May 14)
- Re: Lots of FP's on sid:16214 rmkml (May 14)
- Re: Lots of FP's on sid:16214 Joel Esler (May 14)