RE: False positive alert: sid:2570

Here is the rule:

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC 
Invalid HTTP Version String"; flow:to_server,established; content:"HTTP/"; 
isdataat:6,relative; content:!"|0A|"; within:5; reference:bugtraq,9809; 
reference:nessus,11593; classtype:non-standard-protocol; sid:2570; rev:6;)

Here is da breakdown (for those that are interested, l33t can ignore):
This rule finds the string "HTTP/" and then verifies that there are 6 bytes 
after the string "HTTP/".
Then the rule sees that within 5 bytes of the string, that there is no new 
line charater: content:!"|0A|";
Standard HTTP versions would have "HTTP/1.0.." where .. represents a 
carriage return and a line feed "0D 0A".

However, this rule will trigger if the string "HTTP/" is anywhere in the 
packet:

040 : 48 54 54 50 2F 53 20 43 6F 6D 70 6F 6E 65 6E 74   HTTP/S Component

I was thinking about maybe adding depth to check the initial HTTP version 
but the GET request could be of any length. I am seeing if I can make a rule 
to check the initial header and ignore all other HTTP/ strings. (nnposter 
might have an idea :-)

This may be a case where you have to create a pass rule ahead of this rule 
to pass that traffic.(of course someone on the list please jump in with a 
better solution).

Shirkdog




> From: Michael Schwartzkopff <misch@xxxxxxxxxxx>
> To: snort-sigs@xxxxxxxxxxxxxxxxxxxxx
> Subject: [Snort-sigs] False positive alert: sid:2570
> Date: Tue, 26 Oct 2004 10:12:26 +0200
>
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Here is a false positive warning for rule 2570. The HTTP client IP*Works
> from /n Software triggers this rule. Please see the HTTP client request and
> the snort slert below:
>
> - 
> -----------------------------------------------------------------------------
> - - #(1 - 46198) [2004-10-26 00:47:41] nessus[bugtraq/9809] [snort/2570]
>  WEB-MISC Invalid HTTP Version String IPv4: 212.88.236.17 -> 80.146.208.29
>       hlen=5 TOS=0 dlen=161 ID=22603 flags=0 offset=0 TTL=113 chksum=53233
> TCP:  port=7088 -> dport: 80  flags=***AP*** seq=48490688
>       ack=4105714494 off=5 res=0 win=65535 urp=0 chksum=8205
> Payload:  length = 121
>
> 000 : 47 45 54 20 2F 20 48 54 54 50 2F 31 2E 30 0D 0A   GET / HTTP/1.0..
> 010 : 48 6F 73 74 3A 20 77 77 77 2E 6D 75 6C 74 69 6E   Host: www.multin
> 020 : 65 74 2E 64 65 0D 0A 55 73 65 72 2D 41 67 65 6E   et.de..User-Agen
> 030 : 74 3A 20 49 50 2A 57 6F 72 6B 73 21 20 56 35 20   t: IP*Works! V5
> 040 : 48 54 54 50 2F 53 20 43 6F 6D 70 6F 6E 65 6E 74   HTTP/S Component
> 050 : 20 2D 20 62 79 20 2F 6E 20 73 6F 66 74 77 61 72    - by /n softwar
> 060 : 65 20 2D 20 77 77 77 2E 6E 73 6F 66 74 77 61 72   e - www.nsoftwar
> 070 : 65 2E 63 6F 6D 0D 0A 0D 0A                        e.com....
>
> - -------------------------------------------------------
>
> - --
> Dr. Michael Schwartzkopff
> MultiNET Services GmbH
> Bretonischer Ring 7
> 85630 Grasbrunn
>
> Tel: (+49 89) 456 911 - 0
> Fax: (+49 89) 456 911 - 21
> mob: (+49 174) 343 28 75
>
> PGP Fingerprint: F919 3919 FF12 ED5A 2801 DEA6 AA77 57A4 EDD8 979B
>
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.2.4 (GNU/Linux)
>
> iD8DBQFBfgbvqndXpO3Yl5sRAn70AKCWooeNBzC+5f20Z6AyrM6XG+LQFQCgpdGi
> xhRj8yLi0h9FQFiDrFpSEJM=
> =OUna
> -----END PGP SIGNATURE-----

_________________________________________________________________
Don?t just search. Find. Check out the new MSN Search! 
http://search.msn.click-url.com/go/onm00200636ave/direct/01/



-------------------------------------------------------
This SF.net email is sponsored by: IT Product Guide on ITManagersJournal
Use IT products in your business? Tell us what you think of them. Give us
Your Opinions, Get Free ThinkGeek Gift Certificates! Click to find out more
http://productguide.itmanagersjournal.com/guidepromo.tmpl