Snort mailing list archives
False Alerts 1882 id check returned userid
From: "Lance Worthington" <lworthington () calltech com>
Date: Thu, 22 May 2003 10:52:23 -0400
Here is the changes snort made to the following rule. old: alert tcp $HTTP_SERVERS $HTTP_PORTS -> $EXTERNAL_NET any (msg:"ATTACK-RESPONSES id check returned www"; flow:from_server,established; content:"uid="; content:"(www)"; classtype:bad-unknown; sid:1882; rev:3;) new: alert ip $HOME_NET any -> $EXTERNAL_NET any (msg:"ATTACK-RESPONSES id check returned userid"; content:"uid="; byte_test:5,<,65537,0,relative,string; classtype:bad-unknown; sid:1882; rev:4;) This alerts was modified on 5/16. I have been getting false positives from tons of legit http traffic with 'uid=' in it. It seems many websites logins have syntax in the URL that triggers this alert. Has anyone else been having the same problem? Would it be too dangerous to write a pass rule for traffic destinated for port 80? Only about 30 alerts out of 500 are not dst for port 80. Thanks, Lance ------------------------------------------------------- This SF.net email is sponsored by: ObjectStore. If flattening out C++ or Java code to make your application fit in a relational database is painful, don't do it! Check out ObjectStore. Now part of Progress Software. http://www.objectstore.net/sourceforge _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- False Alerts 1882 id check returned userid Lance Worthington (May 22)
- <Possible follow-ups>
- RE: False Alerts 1882 id check returned userid Stephen W. Thomas (May 23)