Snort mailing list archives
Re: WEB-MISC false positives
From: Brian <bmc () snort org>
Date: Sun, 7 Oct 2001 17:34:07 -0400
According to Jason Haar:
There are too many rules that use "content" instead of "uricontent". This means that for the "WEB-MISC /...." rule I get heaps of hits from the "middle" of a POST - within the content being sent to the server. Any rule that is looking for some filename or escape sequence should *always* use uricontent - anything is valid once the Content-Length: header flows by...
Uh... No. POST include variables. Its usually a good idea to check the variables for possbile exploitation.
Am I right about this? If so, could someone replace those "content" rules with uricontent?
I reaudited them at your request and updated those that it is sane to do so. No, /.... is not one of them.
Also, should the owners of each of these modules be placed in the *.rules files, so we can harrass them directly instead of going through the group :-)
Yeah. Me. :) There is a mailing list to discuss rule changes. snort-sigs. Subscribe to it and bitch about rules there. -- Kiss your keyboard goodbye! _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- WEB-MISC false positives Jason Haar (Oct 07)
- Re: WEB-MISC false positives Brian (Oct 07)