RE: False positive alert: sid:2570

Shirkdog wrote:
> alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC 
> Invalid HTTP Version String"; flow:to_server,established; content:"HTTP/"; 
> isdataat:6,relative; content:!"|0A|"; within:5; reference:bugtraq,9809; 
> reference:nessus,11593; classtype:non-standard-protocol; sid:2570; rev:6;)

<snip> 

> However, this rule will trigger if the string "HTTP/" is anywhere in the 
> packet.

This could take care of it in most cases:

    pcre:"/^\w+ +\S+ +HTTP\/(?!([1-9]\d*)?\d\.([1-9]\d*)?\d$)/smi"

or

    pcre:"/^\w+ +\S+ +HTTP\/(?!\d\.\d$)/smi"

The first one is fully RFC 2616 compliant while the second variant is tailored 
towards commonly used versions. An extreme would be to list the typical 
versions explicitly:

    pcre:"/^\w+ +\S+ +HTTP\/(?!(0\.9|1\.[01])$)/smi"

So the full rule would be:

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS 
(msg:"WEB-MISC Invalid HTTP Version String"; flow:to_server,established; 
content:"HTTP/"; 
isdataat:6,relative; 
content:!"|0A|"; within:5; 
pcre:"--VERSION-CHECK-FROM-ABOVE--";
reference:bugtraq,9809; reference:nessus,11593; 
classtype:non-standard-protocol; sid:2570; rev:7;)


Cheers,
nnposter


-------------------------------------------------------
This Newsletter Sponsored by: Macrovision 
For reliable Linux application installations, use the industry's leading
setup authoring tool, InstallShield X. Learn more and evaluate 
today. http://clk.atdmt.com/MSI/go/ins0030000001msi/direct/01/