[Snort-sigs] SID 1882 False Posiitives : "ATTACK-RESPONSES id check returned userid "

From: SoloNet Newsfeed Processor <newsfeed(at)solo.net>
Date: Wed May 28 2003 - 10:56:01 EDT

in the recent rule updates, it seems that SID 1882 has now begun generating false positives. It's search string "uid=" gets triggered on long URLs, which was evidenced by a number (20K +) alerts we received this morning.

alert ip $HOME_NET any -> $EXTERNAL_NET any (msg:"ATTACK-RESPONSES id check returned userid"; content:"uid=";
byte_test:5,<,65537,0,relative,string; classtype:bad-unknown; sid:1882; rev:4;)

I belive the byte test is incorrect, but I'm not sure how to fix it since I'm not as knowledgeable about the exploit it's trying to pick up. ANybody want to chime in on this?

---

This SF.net email is sponsored by: ObjectStore. If flattening out C++ or Java code to make your application fit in a relational database is painful, don't do it! Check out ObjectStore. Now part of Progress Software. http://www.objectstore.net/sourceforge

---

Snort-sigs mailing list
Snort-sigs@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/snort-sigs Received on Wed May 28 11:46:17 2003