Snort mailing list archives
WEB-MISC false positives
From: Jason Haar <Jason.Haar () trimble co nz>
Date: Mon, 8 Oct 2001 10:13:35 +1300
We've got a Web app here that ends up receiving large binaries via POST. Statisically that means Snort's going to go off a LOT of the time, as basically every character combination will go through a some point in time :-( I'm getting a lot of false hits on "WEB-MISC /...." and can see a problem in the web-misc.rules set in general. There are too many rules that use "content" instead of "uricontent". This means that for the "WEB-MISC /...." rule I get heaps of hits from the "middle" of a POST - within the content being sent to the server. Any rule that is looking for some filename or escape sequence should *always* use uricontent - anything is valid once the Content-Length: header flows by... Am I right about this? If so, could someone replace those "content" rules with uricontent? Also, should the owners of each of these modules be placed in the *.rules files, so we can harrass them directly instead of going through the group :-) -- Cheers Jason Haar Information Security Manager Trimble Navigation Ltd. Phone: +64 3 9635 377 Fax: +64 3 9635 417 _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- WEB-MISC false positives Jason Haar (Oct 07)
- Re: WEB-MISC false positives Brian (Oct 07)