[Emerging-Sigs] FP on 2011031?

Joel Esler jesler at sourcefire.com
Wed Oct 20 16:52:51 EDT 2010


I think "FP" is the wrong term here, heh.

I think "GET invalid method" is exactly what was detected...

The word 'case' is the only discrepancy :)


On Oct 20, 2010, at 4:47 PM, evilghost at packetmail.net wrote:

> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> 
> On 10/20/2010 03:38 PM, Eoin Miller wrote:
>> Why in gods green earth this is firing, I have no idea with the nocase 
>> on the first match?
> 
> It should fire, thought this is more of an invalid HTTP method.
> 
> content:"get"; depth:3; nocase; will match "GET" in your "GET/"
> content:!"GET "; depth:4; will evaluate as true, so the signature fires.
> 
> We probably need to update 2011031 to below (note the space after the
> initial content match and the depth change from 3 to 4:
> 
> alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET SCAN HTTP
> GET invalid method case"; flow:established,to_server; content:"get ";
> depth:4; nocase; content:!"GET "; depth:4; classtype:bad-unknown;
> reference:url,www.w3.org/Protocols/rfc2616/rfc2616-sec9.html;
> reference:url,doc.emergingthreats.net/2011031;
> reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/SCAN/SCAN_Invalid_Method;
> 
> sid:2011031; rev:6;)
> 
> Of course, this "FP" did help you find some craziness, looking at
> http://doc.emergingthreats.net/2011031 though it seems that rev:6
> proposed above was pretty much what was already there as rev:1-rev:2 why
> the change?
> 
> - -evilghost
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.10 (GNU/Linux)
> 
> iQIcBAEBAgAGBQJMv1VoAAoJENgimYXu6xOHNUkP/jlSm/cna021slK6kyG0zH6F
> 7KwncaIj+kvbvMR5MNAj4Dq1GCXkGSJvVGwElMPv9H3VoJTapud9csjEdZhAR8ol
> m5gz6YGzpnUVH9d4Y26ZGt8SZE96lWSN+mN/diVtvh2LNM72Ppv7v0KEcpCiiEHJ
> s9XpxieSL0ngINkUzKxpapV21N1vMk6pBJHoSuA+vc+bnUSLLFbmmiwbklHxtZH+
> rAVsu9fepLhNkZ+rWuuzuzA34vPJdjJaVyYzsOmx2T9Ve8ZYpG5S+9lsuYTmokUB
> Zfjna8znsntEwA2gMAdJ6cGAgJLby4mpB6Yla+cD3vHAKov8e/g32YZbfQH4o8HA
> /8SSjCWWJ1sdDTT23LMOGc5BEcX8jg+tIwm94luK1R85hzjXNOLOotCTfSlB7FEa
> RkN6gNurh5ENkKf2LXaRxTEP5Zukx5dOD4Zva6LUlONPNVi+zQmD6n1VSsE4rhc6
> 2SwexqukOywo2cXAT4e6r3EG877TalOQhq9PBgWM6YxfEbpdXZK4+YAHM6mkq0k7
> rZ9jEXdeovLRtN1inmkBL/w3A6YY/9RyEcbnys8TbkEIMTKJFLQLdNnXu+gHgDsE
> 4sZkKegwT89/467eBFnDEnukQwwKJnWMgYWoUSt5OGSLklI9PTqjRPPI4bDXl3yg
> 2LPtlakgycQs/t4kpxZ0
> =qqq+
> -----END PGP SIGNATURE-----
> 
> _______________________________________________
> Emerging-sigs mailing list
> Emerging-sigs at emergingthreats.net
> http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
> 
> Support Emerging Threats! Get your ET Stuff! Tshirts, Coffee Mugs and Lanyards
> http://www.emergingthreats.net/index.php/support-et-and-buy-et-schwag.html

--
Joel Esler
302-223-5974



More information about the Emerging-sigs mailing list