SID 2570

I see from my own experience and the archives that
proxy servers and some ip widgets generate false
positives.

Currently, the content check is:

content:"HTTP/"; isdataat:6,relative; content:!"|0A|";
within:5;

This fires unless an "0A" is found within 5 bytes of
the "HTTP/", but proxy servers send HTTP version
strings like this: 

Via: HTTP/1.1 proxy[AC1EDB48]
(Traffic-Server/5.5.1-59096 [uScM])..

and this:

Via: HTTP/1.0 Novell Border Manager..

I also saw some false positives from the IP*Works
client (also referenced in the archive).  It sends an
HTTP/S string that causes the rule to fire. 

Brian's solution is to disable the rule and eventually
put the functionality in http_inspect.  Till then, I
modify the initial content check and put in an
additional content check into the rule:

content:"HTTP/1."; isdataat:6,relative;
content:!"|0A|"; within:5; content:!"Via\: HTTP";  

Any thoughts on the relative efficiency of the order
of content checks? 


        
                
__________________________________
Do you Yahoo!?
Yahoo! Mail - You care about security. So do we.
http://promotions.yahoo.com/new_mail


-------------------------------------------------------
This Newsletter Sponsored by: Macrovision 
For reliable Linux application installations, use the industry's leading
setup authoring tool, InstallShield X. Learn more and evaluate 
today. http://clk.atdmt.com/MSI/go/ins0030000001msi/direct/01/