Snort mailing list archives
owssvr.dll and false positives on sid:1288
From: Michael Scheidell <scheidell () secnap net>
Date: Mon, 11 Nov 2002 12:27:12 -0500 (EST)
False alarms with sid:1288 error.log:[Mon Nov 11 11:57:12 2002] [error] [client 207.103.163.19] File does not exist: /www/SECNAP/htdocs/_vti_bin/owssvr.dll I looks like a normal client access to a web page, if client has microsoft office /and or .net installed. see: http://lists.jammed.com/incidents/2001/10/0124.html Seems their web browser wants to make sure there isn't a 'discussion' page or forum for that original request. would this fix that script? note the ! "/vti_bin/owssrv.dll" in the urlcontent keyword. alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS \ (msg:"WEB-FRONTPAGE /_vti_bin/ access";flow:to_server,established; \ uricontent:"/_vti_bin/"; uricontent: ! "/vti_bin/owssrv.dll"; nocase; \ classtype:web-application-activity; sid:1288; rev:5;) -- Michael Scheidell SECNAP Network Security, LLC Sales: 866-SECNAPNET / (1-866-732-6276) Main: 561-368-9561 / www.secnap.net Looking for a career in Internet security? http://www.secnap.net/employment/ ------------------------------------------------------- This sf.net email is sponsored by:ThinkGeek Welcome to geek heaven. http://thinkgeek.com/sf _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- owssvr.dll and false positives on sid:1288 Michael Scheidell (Nov 11)