Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Lots of FP's on sid:16214

From: Eoin Miller <eoin.miller () trojanedbinaries com>
Date: Sat, 14 May 2011 16:43:14 +0000
Rule:
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DOS Squid 
Proxy invalid HTTP response code denial of service attempt"; 
flow:to_client,established; content:"-100"; fast_pattern:only; 
content:"HTTP"; offset:0; nocase; pcre:"/^HTTP[^\n]+\x2D100/i"; 
metadata:policy balanced-ips drop, policy security-ips drop, service 
http; reference:bugtraq,35812; reference:cve,2009-2622; 
classtype:denial-of-service; sid:16214; rev:3;)

This one fires off way too many times when webservers just return URI's 
in the HTML body that have these patterns in the query string. Shouldn't 
this be taking advantage of the http_inspect preprocessor and narrowing 
this search to the http_header instead of every frame coming back from 
the net? It think that small change would fix it.

ASCII packet that fires it:
http://secure-us
.imrworldwide.co
m/cgi-bin/m?cc=1
&amp;ci=us-10042
9&amp;c6=vc,c05&
amp;tl=dav0-${vi
deo.id}%20/%20${
video.headline}&
amp;cg=${video.f
ranchise}&amp;rn
d=${random}"/>.
</video_repla
y>. <video_co
mplete>.
<param name="pin
g" value="http:/
/secure-us.imrwo
rldwide.com/cgi-
bin/m?cc=1&amp;c
i=us-100429&amp;
c6=vc,c05&amp;tl
=dav2-${video.id
}%20/%20${video.
headline}&amp;cg
=${video.franchi
se}&amp;rnd=${ra
ndom}"/>. </v
ideo_complete>.<
/pings>..<!--..
    3. CONFIGURAB
LE FUNCTIONALITY
: PLAYER INSTANC
ES.    ---------
----------------
----------------
----------------
--------------.
    This is where
  we configure ea
ch player instan
ce with override
  parameters for
each..    Ideall
y the player to
use is just a Fl
ashparam in the
embed code...-->
..<!-- FREEWHEEL
  TEST ADS PLAYER
  INSTANCES -->.
<!-- FREEWHEEL "
Main" Player Ins
tance -->.<playe
r name="fw_maing
tv">. <pa
ram name="low_bi
trate" value="30
0" />. <p
aram name="high_
bitrate" value="
300" />.
<param name="aut
ostart" value="o
n" />. <p
aram name="width
" value="696" />
. <param
name="height" va
lue="388" />.
<param na
me="aspect_adjus
t" value="auto"
/>.. <ad_s
erver type="FREE
WHEEL">.
<param name=
"ad_api" value="
http://i.cdn.tur
ner.com/xslo/cvp
/ads/freewheel/b
undles/1/AdManag
er.swf"/>.
<param nam
e="ad_server_roo
t_url" value="ht
tp://BEA4.v.fwmr
m.net"/>.
<param name
="ad_section" va
lue="" />.
<param nam
e="a

-- Eoin

------------------------------------------------------------------------------
Achieve unprecedented app performance and reliability
What every C/C++ and Fortran developer should know.
Learn how Intel has extended the reach of its next-generation tools
to help boost performance applications - inlcuding clusters.
http://p.sf.net/sfu/intel-dev2devmay
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: