mailing list archives
Re: 17494 Falsing on non IE6 systems
From: "Weir, Jason" <jason.weir () nhrs org>
Date: Wed, 27 Oct 2010 09:03:33 -0400
I agree on the long URIs but this was a IE6 specific bug - at least only
trip on IE6 systems...
I'm running the "Registered-User" version (rev:1) not sure if there is a
I got it in an update last night and it's been filling up the logs ever
I just disabled it on all sensors - hopefully SF fixes it..
From: L0rd Ch0de1m0rt [mailto:l0rdch0de1m0rt () gmail com]
Sent: Wednesday, October 27, 2010 8:52 AM
To: Weir, Jason
Cc: snort-sigs () lists sourceforge net
Subject: Re: [Snort-sigs] 17494 Falsing on non IE6 systems
Yea, this is a terribly written rule, especially with Web 2.0
technologies and advertising companies preferring to create
ginormous URIs. It's not browser specific ... all modern
URIs>206 bytes and the RFC doesn't specify a limit....
Are you running the latest version of this rule? I could be
thinking of a different rule but I thought that when this one
came out it everyone started complaining about it and they
disabled it. I recommend all who are running it to disable it.
On Wed, Oct 27, 2010 at 7:37 AM, Weir, Jason
<jason.weir () nhrs org> wrote:
Tons of false positives on machines running IE7 & 8...
Maybe do a content match on the IE6 user agent - something like
content:"compatible; MSIE 6."
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS
Microsoft Internet Explorer Long URL Buffer Overflow attempt";
flow:established,to_server; urilen:>260; content:"GET";
content:"HTTP|2F|1|2E|1|0D 0A|"; metadata:service http;
classtype:attempted-user; sid:17494; rev:1;)
Please visit www.nhrs.org to subscribe to NHRS email announcements and updates.
Nokia and AT&T present the 2010 Calling All Innovators-North America contest
Create new apps & games for the Nokia N8 for consumers in U.S. and Canada
$10 million total in prizes - $4M cash, 500 devices, nearly $6M in marketing
Develop with Nokia Qt SDK, Web Runtime, or Java and Publish to Ovi Store
Snort-sigs mailing list
Snort-sigs () lists sourceforge net
Re: 17494 Falsing on non IE6 systems Weir, Jason (Oct 27)