Re: WEB-MISC false positives

[Brian <bmc () snort org>]

According to Jason Haar:
> There are too many rules that use "content" instead of "uricontent". This
> means that for the "WEB-MISC /...." rule I get heaps of hits from the
> "middle" of a POST - within the content being sent to the server. Any rule
> that is looking for some filename or escape sequence should *always* use
> uricontent - anything is valid once the Content-Length: header flows by...

Uh... No.

POST include variables.  Its usually a good idea to check the
variables for possbile exploitation.

> Am I right about this? If so, could someone replace those "content" rules
> with uricontent?

I reaudited them at your request and updated those that it is sane to
do so.  No, /.... is not one of them.

> Also, should the owners of each of these modules be placed in the *.rules
> files, so we can harrass them directly instead of going through the group :-)

Yeah.  Me.  :)

There is a mailing list to discuss rule changes.  snort-sigs.

Subscribe to it and bitch about rules there. 

-- 
Kiss your keyboard goodbye!

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users