Snort mailing list archives

Re: 17494 Falsing on non IE6 systems

From: "Weir, Jason" <jason.weir () nhrs org>
Date: Wed, 27 Oct 2010 14:06:34 -0400

What a great idea on the regex - I think something like this will work - for oinkmaster users anyway..

modifysid 17494 "^(.*rev\:[1|2].*)$" | "#${1}"

Disable rev:1 and rev:2 and let the rest go through..

Thanks,
-J

-----Original Message-----
From: JJC [mailto:cummingsj () gmail com] 
Sent: Wednesday, October 27, 2010 1:52 PM
To: Weir, Jason
Cc: Lay, James; snort-sigs () lists sourceforge net
Subject: Re: [Snort-sigs] 17494 Falsing on non IE6 systems

This doesn't solve your problem, but you could create a regex 
that disables the rev:1 of that rule and enables the rev:3+; 
of that rule... that way you don't have to remember to do it, 
it's automagic when you update to the ruleset that has the 
revved rule...

JJC

On Wed, Oct 27, 2010 at 9:17 AM, Weir, Jason 
<jason.weir () nhrs org> wrote:

I agree with James - I had to put a "Re-Enable after

12/1/10" note in

the oink config file..

What a PITA..

-J

-----Original Message-----
From: Lay, James [mailto:james.lay () wincofoods com]
Sent: Wednesday, October 27, 2010 10:16 AM
To: snort-sigs () lists sourceforge net
Subject: Re: [Snort-sigs] 17494 Falsing on non IE6 systems


Ya count me in here...rev 1 is firing on just about

everything....YAY

for us Registered users :)  While I understand the whole pay for 
rules thing, holding out on releasing a fixed rule for 30

days, such

as this one, is kinda crappy.  Not releasing improved/new

rules yes,

but ones that are broken like this...ya not so much.  Yet another 
rule disabled.

James

-----Original Message-----
From: Weir, Jason [mailto:jason.weir () nhrs org]
Sent: Wednesday, October 27, 2010 7:08 AM
To: snort-sigs () lists sourceforge net
Subject: Re: [Snort-sigs] 17494 Falsing on non IE6 systems

Thanks Joel,

Any chance the revision # could be included on the SID page

http://www.snort.org/search/sid/1-17494

That way I could check before posting to the list..

-J

-----Original Message-----
From: Joel Esler [mailto:jesler () sourcefire com]
Sent: Wednesday, October 27, 2010 9:02 AM
To: L0rd Ch0de1m0rt
Cc: Weir, Jason; snort-sigs () lists sourceforge net
Subject: Re: [Snort-sigs] 17494 Falsing on non IE6 systems


Current revision on this rule is rev:3.  It looks

nothing like the

below.

Thanks for the feedback Jason.

Joel

On Oct 27, 2010, at 8:51 AM, L0rd Ch0de1m0rt wrote:

Yea, this is a terribly written rule, especially with Web 2.0 
technologies and advertising companies preferring to create

ginormous

URIs.  It's not browser specific ... all modern

browsers support

URIs>206 bytes and the RFC doesn't specify a limit....

Are you running the latest version of this rule?  I could

be thinking

of a different rule but I thought that when this one

came out it

everyone started complaining about it and they disabled it.  I 
recommend all who are running it to disable it.

-L0rd C.

On Wed, Oct 27, 2010 at 7:37 AM, Weir, Jason 
<jason.weir () nhrs org>
wrote:

Tons of false positives on machines running IE7 & 8...

Maybe do a content match on the IE6 user agent -

something like

content:"compatible; MSIE 6."

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS

(msg:"WEB-CLIENT

Microsoft Internet Explorer Long URL Buffer Overflow

attempt";

flow:established,to_server; urilen:>260; content:"GET";

http_method;

content:"HTTP|2F|1|2E|1|0D 0A|"; metadata:service http; 
reference:bugtraq,19667; reference:cve,2006-3869; 
classtype:attempted-user; sid:17494; rev:1;)

Jason



_____________________________________________________________________________________________

Please visit www.nhrs.org to subscribe to NHRS email announcements and updates.
------------------------------------------------------------------------------
Nokia and AT&T present the 2010 Calling All Innovators-North America contest
Create new apps & games for the Nokia N8 for consumers in  U.S. and Canada
$10 million total in prizes - $4M cash, 500 devices, nearly $6M in marketing
Develop with Nokia Qt SDK, Web Runtime, or Java and Publish to Ovi Store 
http://p.sf.net/sfu/nokia-dev2dev
_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-sigs

Current thread:

17494 Falsing on non IE6 systems Weir, Jason (Oct 27)
- Re: 17494 Falsing on non IE6 systems L0rd Ch0de1m0rt (Oct 27)
  - Re: 17494 Falsing on non IE6 systems Joel Esler (Oct 27)
    - Re: 17494 Falsing on non IE6 systems Weir, Jason (Oct 27)
    - Re: 17494 Falsing on non IE6 systems Joel Esler (Oct 27)
    - Re: 17494 Falsing on non IE6 systems Lay, James (Oct 27)
    - Re: 17494 Falsing on non IE6 systems Weir, Jason (Oct 27)
    - Re: 17494 Falsing on non IE6 systems JJC (Oct 27)
    - Re: 17494 Falsing on non IE6 systems Weir, Jason (Oct 27)
  - Re: 17494 Falsing on non IE6 systems Weir, Jason (Oct 27)
- <Possible follow-ups>
- Re: 17494 Falsing on non IE6 systems Weir, Jason (Nov 01)