Snort mailing list archives
RE: WEB-MISC long basic authorization string
From: "Semerjian, Ohanes" <Semerjian.Ohanes () wcom com au>
Date: Wed, 9 Apr 2003 09:00:08 +0800
Matt, Thanks for ur reply, but I guess disabling the signature is not my goal...? I want to know if there is a legitimate traffic that could fire up this signature. Best Regards Ohanes Semerjian Security Engineer, AsiaPac International Security Group (Central Services) WorldCom International Ph:(02) 9434 5636 Mob: 0410 657 249 PGP kEY 75DF 2980 5663 2DC1 12CD E43E 94D6 7A9A 222D 3449 -----Original Message----- From: Matt Yackley [mailto:Matt.Yackley () perkinswill com] Sent: Tuesday, 8 April 2003 11:38 PM To: Semerjian, Ohanes; 'snort-users () lists sourceforge net' Subject: RE: [Snort-users] WEB-MISC long basic authorization string I had this issue with Outlook Web Access traffic, I have disabled the rule for now, at some point though I guess I should just create a pass rule for the afftected box... -matt -----Original Message----- From: Semerjian, Ohanes [mailto:Semerjian.Ohanes () wcom com au] Sent: Monday, April 07, 2003 9:45 PM To: 'snort-users () lists sourceforge net' Subject: [Snort-users] WEB-MISC long basic authorization string Dear all, I'm getting the " WEB-MISC long basic authorization string " from source IPs which are part of our internal network to one host. This host is an internal web server whom our MIS changed the IP address just before these alerts start flow. Now I've checked the signature definition which shows that it takes consideration of the payload. What I would like to know that if there is other legitimate traffic could fire up this signature..?coz I don't think a big number of machines on the network are trying to attack this one host..? Would appreciate your thoughts alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 80 (msg:"WEB-MISC long basic authorization string"; flags:A+; content:"Authorization\: Basic "; nocase; dsize:>1000; classtype:attempted-dos; reference:bugtraq,3230; sid:1260; rev:2;) Best Regards Ohanes Semerjian
Current thread:
- WEB-MISC long basic authorization string Semerjian, Ohanes (Apr 07)
- <Possible follow-ups>
- RE: WEB-MISC long basic authorization string Matt Yackley (Apr 08)
- RE: WEB-MISC long basic authorization string Semerjian, Ohanes (Apr 08)