False positive alert: sid:2570: msg#00181 security.ids.snort.sigs

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Here is a false positive warning for rule 2570. The HTTP client IP*Works
from /n Software triggers this rule. Please see the HTTP client request and
the snort slert below:

- -----------------------------------------------------------------------------
- - #(1 - 46198) [2004-10-26 00:47:41] nessus[bugtraq/9809] [snort/2570]
WEB-MISC Invalid HTTP Version String IPv4: 212.88.236.17 -> 80.146.208.29
hlen=5 TOS=0 dlen=161 ID=22603 flags=0 offset=0 TTL=113 chksum=53233
TCP: port=7088 -> dport: 80 flags=***AP*** seq=48490688
ack=4105714494 off=5 res=0 win=65535 urp=0 chksum=8205
Payload: length = 121

000 : 47 45 54 20 2F 20 48 54 54 50 2F 31 2E 30 0D 0A GET / HTTP/1.0..
010 : 48 6F 73 74 3A 20 77 77 77 2E 6D 75 6C 74 69 6E Host: www.multin
020 : 65 74 2E 64 65 0D 0A 55 73 65 72 2D 41 67 65 6E et.de..User-Agen
030 : 74 3A 20 49 50 2A 57 6F 72 6B 73 21 20 56 35 20 t: IP*Works! V5
040 : 48 54 54 50 2F 53 20 43 6F 6D 70 6F 6E 65 6E 74 HTTP/S Component
050 : 20 2D 20 62 79 20 2F 6E 20 73 6F 66 74 77 61 72 - by /n softwar
060 : 65 20 2D 20 77 77 77 2E 6E 73 6F 66 74 77 61 72 e - www.nsoftwar
070 : 65 2E 63 6F 6D 0D 0A 0D 0A e.com....

- -------------------------------------------------------

- --
Dr. Michael Schwartzkopff
MultiNET Services GmbH
Bretonischer Ring 7
85630 Grasbrunn

Tel: (+49 89) 456 911 - 0
Fax: (+49 89) 456 911 - 21
mob: (+49 174) 343 28 75

PGP Fingerprint: F919 3919 FF12 ED5A 2801 DEA6 AA77 57A4 EDD8 979B

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)

iD8DBQFBfgbvqndXpO3Yl5sRAn70AKCWooeNBzC+5f20Z6AyrM6XG+LQFQCgpdGi
xhRj8yLi0h9FQFiDrFpSEJM=
=OUna
-----END PGP SIGNATURE-----

-------------------------------------------------------
This SF.net email is sponsored by: IT Product Guide on ITManagersJournal
Use IT products in your business? Tell us what you think of them. Give us
Your Opinions, Get Free ThinkGeek Gift Certificates! Click to find out more
http://productguide.itmanagersjournal.com/guidepromo.tmpl

Previous by Date:	Bleedingsnort.com Daily Update: 00181, matt
Next by Date:	RE: False positive alert: sid:2570: 00181, M. Shirk
Previous by Thread:	False positive in 2650.2 (ORACLE user name buffer overflow attempt)i: 00181, nnposter
Next by Thread:	RE: False positive alert: sid:2570: 00181, M. Shirk
Indexes:	[Date] [Thread] [Top] [All Lists]

<Prev in Thread]	Current Thread	[Next in Thread>