WEB-MISC false positives

[Jason Haar <Jason.Haar () trimble co nz>]

We've got a Web app here that ends up receiving large binaries via POST.
Statisically that means Snort's going to go off a LOT of the time, as
basically every character combination will go through a some point in time :-(

I'm getting a lot of false hits on "WEB-MISC /...." and can see a problem in
the web-misc.rules set in general.

There are too many rules that use "content" instead of "uricontent". This
means that for the "WEB-MISC /...." rule I get heaps of hits from the
"middle" of a POST - within the content being sent to the server. Any rule
that is looking for some filename or escape sequence should *always* use
uricontent - anything is valid once the Content-Length: header flows by...

Am I right about this? If so, could someone replace those "content" rules
with uricontent?

Also, should the owners of each of these modules be placed in the *.rules
files, so we can harrass them directly instead of going through the group :-)

-- 
Cheers

Jason Haar

Information Security Manager
Trimble Navigation Ltd.
Phone: +64 3 9635 377 Fax: +64 3 9635 417

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users