[Emerging-Sigs] FP on 2011031?

Eoin Miller eoin.miller at trojanedbinaries.com
Wed Oct 20 16:38:18 EDT 2010


  I found an FP on this sig that is being triggered by Qualys scanning 
boxes.

Sig:
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET SCAN HTTP 
GET invalid method case"; flow:established,to_server; content:"get"; 
depth:3; nocase; content:!"GET "; depth:4; classtype:bad-unknown; 
reference:url,www.w3.org/Protocols/rfc2616/rfc2616-sec9.html; 
reference:url,doc.emergingthreats.net/2011031; 
reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/SCAN/SCAN_Invalid_Method; 
sid:2011031; rev:5;)

Packet payload:
47 45 54 2F 20 48 54 54 50 2F 31 2E 31 0D 0A 0D    GET/ HTTP/1.1...
0A                                                 .


Why in gods green earth this is firing, I have no idea with the nocase 
on the first match? The content:!"GET|20|" (changed the space to the 
|20| just to point out that its a space here) is true though, its a 
slightly screwed up request that may warrant its own sig actually. The 
"/" doens't ends up in the http_method buffer. We can't check if the 
"get/" will be in http_header buffer either (since it won't).

Hmm, maybe something like:

alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET SCAN 
Nessus/Qualys GET/ Detected"; flow:established,to_server; 
content:"get/"; depth:4; nocase; classtype:bad-unknown; sid:5600179; rev:1;)

-- Eoin


More information about the Emerging-sigs mailing list