[Emerging-Sigs] FP on 2011031?
eoin.miller at trojanedbinaries.com
Wed Oct 20 16:38:18 EDT 2010
I found an FP on this sig that is being triggered by Qualys scanning
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET SCAN HTTP
GET invalid method case"; flow:established,to_server; content:"get";
depth:3; nocase; content:!"GET "; depth:4; classtype:bad-unknown;
47 45 54 2F 20 48 54 54 50 2F 31 2E 31 0D 0A 0D GET/ HTTP/1.1...
Why in gods green earth this is firing, I have no idea with the nocase
on the first match? The content:!"GET|20|" (changed the space to the
|20| just to point out that its a space here) is true though, its a
slightly screwed up request that may warrant its own sig actually. The
"/" doens't ends up in the http_method buffer. We can't check if the
"get/" will be in http_header buffer either (since it won't).
Hmm, maybe something like:
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET SCAN
Nessus/Qualys GET/ Detected"; flow:established,to_server;
content:"get/"; depth:4; nocase; classtype:bad-unknown; sid:5600179; rev:1;)
More information about the Emerging-sigs