[Oisf-users] [Emerging-Sigs] SID: http://docs.emergingthreats.net/2014380/
Duane Howard
duane.security at gmail.com
Mon Dec 12 19:48:02 UTC 2016
forking thread to oisf-users...
On Mon, Dec 12, 2016 at 11:42 AM, Francis Trudeau <
ftrudeau at emergingthreats.net> wrote:
> We were seeing FP reports on this as just the depth wasn't doing enough to
> make sure the sig was matching on the HTTP headers.
>
> Suricata, because the POST isn't capitalized, doesn't consider this HTTP
> so we couldn't use the HTTP buffers. Snort on the other hand looks at this
> as HTTP, because of the ports, so we could do this:
>
is this a known bug in libhtp? Or rather is it expected? This seems like a
bad decision from an IDS perspective?
>
> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY HTTP
> POST invalid method case outbound"; flow:established,to_server;
> content:"post"; http_method; nocase; content:!"POST"; http_method;
> reference:url,www.w3.org/Protocols/rfc2616/rfc2616-sec9.html;
> classtype:bad-unknown; sid:2014380; rev:3;)
>
> The rule that was FPing was rev:2, the Suricata sig skipped from rev:2 to
> rev:4 due to internal processes that made it skip a rev in the final
> output. The docs page uses the Suricata version as we are partial to
> Suricata ;)
>
> Are you seeing FPs with rev:3 of the Snort signature?
>
> ft
>
>
>
>
> On Mon, Dec 12, 2016 at 8:59 AM, Jim McKibben <jmckibben at riskanalytics.com
> > wrote:
>
>> The rev 4 of this rule isn't included in the https://rules.emergingthre
>> ats.net/open-nogpl/snort-2.9.0/emerging.rules.tar.gz package.
>>
>> Is there a reason for this? It is FPing for sites that contain the text
>> "post" such as nypost.com and such.
>> --
>>
>>
>> <https://riskanalytics.com/>
>>
>>
>> *Jim McKibben*Security Analyst GSEC GWAPT
>> Office / 913-685-6588
>> Mobile / 573-424-4848
>> jmckibben at riskanalytics.com
>>
>> [image: RiskAnalytics] <https://riskanalytics.com/> [image: Twitter]
>> <https://twitter.com/riskanalytics> [image: LinkedIn]
>> <https://www.linkedin.com/company/riskanalytics-llc> [image: Facebook]
>> <https://www.facebook.com/riskanalytics?fref=ts>
>>
>> CONFIDENTIAL:
>> The information in this email (and any attachments) is confidential. If
>> you are not the intended recipient, you must not read, use or disseminate
>> the information. Please reply to the sender and take the steps necessary
>> to delete the message completely from your computer system. Although this
>> email and any attachments are believed to be free of any virus or other
>> defect that might affect any computer system into which it is received and
>> opened, it is the responsibility of the recipient to ensure that it is
>> virus free and no responsibility is accepted by RiskAnalytics, LLC for any
>> loss or damage arising in any way from its use.
>>
>> _______________________________________________
>> Emerging-sigs mailing list
>> Emerging-sigs at lists.emergingthreats.net
>> https://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
>>
>> Support Emerging Threats! Subscribe to Emerging Threats Pro
>> http://www.emergingthreats.net
>>
>>
>>
>
> _______________________________________________
> Emerging-sigs mailing list
> Emerging-sigs at lists.emergingthreats.net
> https://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
>
> Support Emerging Threats! Subscribe to Emerging Threats Pro
> http://www.emergingthreats.net
>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20161212/f93b4b4b/attachment.html>
More information about the Oisf-users
mailing list