Snort mailing list archives
Re: 17494 Falsing on non IE6 systems
From: "Weir, Jason" <jason.weir () nhrs org>
Date: Wed, 27 Oct 2010 14:06:34 -0400
What a great idea on the regex - I think something like this will work - for oinkmaster users anyway.. modifysid 17494 "^(.*rev\:[1|2].*)$" | "#${1}" Disable rev:1 and rev:2 and let the rest go through.. Thanks, -J
-----Original Message----- From: JJC [mailto:cummingsj () gmail com] Sent: Wednesday, October 27, 2010 1:52 PM To: Weir, Jason Cc: Lay, James; snort-sigs () lists sourceforge net Subject: Re: [Snort-sigs] 17494 Falsing on non IE6 systems This doesn't solve your problem, but you could create a regex that disables the rev:1 of that rule and enables the rev:3+; of that rule... that way you don't have to remember to do it, it's automagic when you update to the ruleset that has the revved rule... JJC On Wed, Oct 27, 2010 at 9:17 AM, Weir, Jason <jason.weir () nhrs org> wrote:I agree with James - I had to put a "Re-Enable after12/1/10" note inthe oink config file.. What a PITA.. -J-----Original Message----- From: Lay, James [mailto:james.lay () wincofoods com] Sent: Wednesday, October 27, 2010 10:16 AM To: snort-sigs () lists sourceforge net Subject: Re: [Snort-sigs] 17494 Falsing on non IE6 systems Ya count me in here...rev 1 is firing on just abouteverything....YAYfor us Registered users :) While I understand the whole pay for rules thing, holding out on releasing a fixed rule for 30days, suchas this one, is kinda crappy. Not releasing improved/newrules yes,but ones that are broken like this...ya not so much. Yet another rule disabled. James -----Original Message----- From: Weir, Jason [mailto:jason.weir () nhrs org] Sent: Wednesday, October 27, 2010 7:08 AM To: snort-sigs () lists sourceforge net Subject: Re: [Snort-sigs] 17494 Falsing on non IE6 systems Thanks Joel, Any chance the revision # could be included on the SID page http://www.snort.org/search/sid/1-17494 That way I could check before posting to the list.. -J-----Original Message----- From: Joel Esler [mailto:jesler () sourcefire com] Sent: Wednesday, October 27, 2010 9:02 AM To: L0rd Ch0de1m0rt Cc: Weir, Jason; snort-sigs () lists sourceforge net Subject: Re: [Snort-sigs] 17494 Falsing on non IE6 systems Current revision on this rule is rev:3. It looksnothing like thebelow. Thanks for the feedback Jason. Joel On Oct 27, 2010, at 8:51 AM, L0rd Ch0de1m0rt wrote:Yea, this is a terribly written rule, especially with Web 2.0 technologies and advertising companies preferring to createginormousURIs. It's not browser specific ... all modernbrowsers supportURIs>206 bytes and the RFC doesn't specify a limit.... Are you running the latest version of this rule? I couldbe thinkingof a different rule but I thought that when this onecame out iteveryone started complaining about it and they disabled it. I recommend all who are running it to disable it. -L0rd C. On Wed, Oct 27, 2010 at 7:37 AM, Weir, Jason <jason.weir () nhrs org> wrote:Tons of false positives on machines running IE7 & 8... Maybe do a content match on the IE6 user agent -something likecontent:"compatible; MSIE 6." alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS(msg:"WEB-CLIENTMicrosoft Internet Explorer Long URL Buffer Overflowattempt";flow:established,to_server; urilen:>260; content:"GET";http_method;content:"HTTP|2F|1|2E|1|0D 0A|"; metadata:service http; reference:bugtraq,19667; reference:cve,2006-3869; classtype:attempted-user; sid:17494; rev:1;) Jason
_____________________________________________________________________________________________ Please visit www.nhrs.org to subscribe to NHRS email announcements and updates. ------------------------------------------------------------------------------ Nokia and AT&T present the 2010 Calling All Innovators-North America contest Create new apps & games for the Nokia N8 for consumers in U.S. and Canada $10 million total in prizes - $4M cash, 500 devices, nearly $6M in marketing Develop with Nokia Qt SDK, Web Runtime, or Java and Publish to Ovi Store http://p.sf.net/sfu/nokia-dev2dev _______________________________________________ Snort-sigs mailing list Snort-sigs () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-sigs
Current thread:
- 17494 Falsing on non IE6 systems Weir, Jason (Oct 27)
- Re: 17494 Falsing on non IE6 systems L0rd Ch0de1m0rt (Oct 27)
- Re: 17494 Falsing on non IE6 systems Joel Esler (Oct 27)
- Re: 17494 Falsing on non IE6 systems Weir, Jason (Oct 27)
- Re: 17494 Falsing on non IE6 systems Joel Esler (Oct 27)
- Re: 17494 Falsing on non IE6 systems Lay, James (Oct 27)
- Re: 17494 Falsing on non IE6 systems Weir, Jason (Oct 27)
- Re: 17494 Falsing on non IE6 systems JJC (Oct 27)
- Re: 17494 Falsing on non IE6 systems Weir, Jason (Oct 27)
- Re: 17494 Falsing on non IE6 systems Joel Esler (Oct 27)
- Re: 17494 Falsing on non IE6 systems L0rd Ch0de1m0rt (Oct 27)
- <Possible follow-ups>
- Re: 17494 Falsing on non IE6 systems Weir, Jason (Nov 01)