Re: 17494 Falsing on non IE6 systems

["Lay, James" <james.lay () wincofoods com>]

Ya count me in here...rev 1 is firing on just about everything....YAY
for us Registered users :)  While I understand the whole pay for rules
thing, holding out on releasing a fixed rule for 30 days, such as this
one, is kinda crappy.  Not releasing improved/new rules yes, but ones
that are broken like this...ya not so much.  Yet another rule disabled.

James

-----Original Message-----
From: Weir, Jason [mailto:jason.weir () nhrs org] 
Sent: Wednesday, October 27, 2010 7:08 AM
To: snort-sigs () lists sourceforge net
Subject: Re: [Snort-sigs] 17494 Falsing on non IE6 systems

Thanks Joel,

Any chance the revision # could be included on the SID page

http://www.snort.org/search/sid/1-17494

That way I could check before posting to the list..

-J

> -----Original Message-----
> From: Joel Esler [mailto:jesler () sourcefire com]
> Sent: Wednesday, October 27, 2010 9:02 AM
> To: L0rd Ch0de1m0rt
> Cc: Weir, Jason; snort-sigs () lists sourceforge net
> Subject: Re: [Snort-sigs] 17494 Falsing on non IE6 systems
>
>
> Current revision on this rule is rev:3.  It looks nothing like the 
> below.
>
> Thanks for the feedback Jason.
>
> Joel
>
> On Oct 27, 2010, at 8:51 AM, L0rd Ch0de1m0rt wrote:
>
> > Yea, this is a terribly written rule, especially with Web 2.0 
> > technologies and advertising companies preferring to create
> ginormous
> > URIs.  It's not browser specific ... all modern browsers support
> > URIs>206 bytes and the RFC doesn't specify a limit....
> >
> > Are you running the latest version of this rule?  I could
> be thinking
> > of a different rule but I thought that when this one came out it 
> > everyone started complaining about it and they disabled it.  I 
> > recommend all who are running it to disable it.
> >
> > -L0rd C.
> >
> > On Wed, Oct 27, 2010 at 7:37 AM, Weir, Jason <jason.weir () nhrs org>
> > wrote:
> > > Tons of false positives on machines running IE7 & 8...
> > >
> > > Maybe do a content match on the IE6 user agent - something like 
> > > content:"compatible; MSIE 6."
> > >
> > > alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS
> (msg:"WEB-CLIENT
> > > Microsoft Internet Explorer Long URL Buffer Overflow attempt"; 
> > > flow:established,to_server; urilen:>260; content:"GET";
> http_method;
> > > content:"HTTP|2F|1|2E|1|0D 0A|"; metadata:service http; 
> > > reference:bugtraq,19667; reference:cve,2006-3869; 
> > > classtype:attempted-user; sid:17494; rev:1;)
> > >
> > > Jason


________________________________________________________________________
_____________________

Please visit www.nhrs.org to subscribe to NHRS email announcements and
updates.
------------------------------------------------------------------------
------
Nokia and AT&T present the 2010 Calling All Innovators-North America
contest Create new apps & games for the Nokia N8 for consumers in  U.S.
and Canada
$10 million total in prizes - $4M cash, 500 devices, nearly $6M in
marketing Develop with Nokia Qt SDK, Web Runtime, or Java and Publish to
Ovi Store http://p.sf.net/sfu/nokia-dev2dev
_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-sigs

------------------------------------------------------------------------------
Nokia and AT&T present the 2010 Calling All Innovators-North America contest
Create new apps & games for the Nokia N8 for consumers in  U.S. and Canada
$10 million total in prizes - $4M cash, 500 devices, nearly $6M in marketing
Develop with Nokia Qt SDK, Web Runtime, or Java and Publish to Ovi Store 
http://p.sf.net/sfu/nokia-dev2dev
_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-sigs