False Alerts 1882 id check returned userid

["Lance Worthington" <lworthington () calltech com>]

Here is the changes snort made to the following rule.

old: alert tcp $HTTP_SERVERS $HTTP_PORTS -> $EXTERNAL_NET any
(msg:"ATTACK-RESPONSES id check returned www"; flow:from_server,established;
content:"uid="; content:"(www)"; classtype:bad-unknown; sid:1882; rev:3;)

new: alert ip $HOME_NET any -> $EXTERNAL_NET any (msg:"ATTACK-RESPONSES id
check returned userid"; content:"uid=";
byte_test:5,<,65537,0,relative,string; classtype:bad-unknown; sid:1882;
rev:4;)

This alerts was modified on 5/16. I have been getting false positives from
tons of legit http traffic with 'uid=' in it. It seems many websites logins
have syntax in the URL that triggers this alert. Has anyone else been having
the same problem? Would it be too dangerous to write a pass rule for traffic
destinated for port 80? Only about 30 alerts out of 500 are not dst for port
80.

Thanks,
Lance



-------------------------------------------------------
This SF.net email is sponsored by: ObjectStore.
If flattening out C++ or Java code to make your application fit in a
relational database is painful, don't do it! Check out ObjectStore.
Now part of Progress Software. http://www.objectstore.net/sourceforge
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users