|
|
|
|
Snort Forums Archive
Archive Home » Rules » False Positive? - Invalid HTTP Version String
Please note that the categories listed below represent an archived version of our forums pages. To view the current version and be able to post and reply to threads, please register and login here to go to the full forums pages.
[ Notice: Full Version of This Topic ]
False Positive? - Invalid HTTP Version String
Posted by greg_panula on March 17, 2005 01:58:36
#(9 - 844480) [2005-03-17 04:57:14] nessus[bugtraq/9809] [snort/2570] WEB-MISC Invalid HTTP Version String
IPv4: 10.1.2.3 -> 172.20.20.54
hlen=5 TOS=0 dlen=153 ID=45601 flags=0 offset=0 TTL=63 chksum=27884
TCP: port=3995 -> dport: 80 flags=***AP*** seq=3528733573
ack=3880101927 off=8 res=0 win=57920 urp=0 chksum=31297
Options:
#1 - NOP len=0
#2 - NOP len=0
#3 - TS len=8 data=BED1E04500000000
Payload: length = 101
000 : 47 45 54 20 2F 61 63 76 2E 74 78 74 20 48 54 54 GET /acv.txt HTT
010 : 50 2F 31 2E 30 0D 0A 48 6F 73 74 3A 20 31 37 32 P/1.0..Host: 172
020 : 2E 32 30 2E 32 30 2E 35 30 0D 0A 55 73 65 72 2D .20.20.50..User-
030 : 41 67 65 6E 74 3A 20 63 68 65 63 6B 5F 68 74 74 Agent: check_htt
040 : 70 2F 31 2E 32 34 2E 32 2E 34 20 28 6E 61 67 69 p/1.24.2.4 (nagi
050 : 6F 73 2D 70 6C 75 67 69 6E 73 20 31 2E 33 2E 31 os-plugins 1.3.1
060 : 29 0D 0A 0D 0A )....
The above triggered the "Invalid HTTP Version String" alert. The HTTP version string of "HTTP/1.0" looks valid to me. Was the alert triggered because of the extra text after the HTTP/1.0 or is this a false positive?
Thanks,
greg
|
|
Posted by nigel on March 17, 2005 04:16:37
The rule fired because the content "HTTP/" was matched and then the expected line feed did not occur when expected. Thus, it is an invalid version string.
--
Nigel |
|
Posted by greg_panula on March 24, 2005 02:26:55
Ahh, the User_Agent/check_http/1.24.2.4 is what triggered it.
Thanks.
And for the archives:
additional info can be found at: http://www.networksecurityarchive.org/html/Snort-Signatures/2004-10/msg00194.html
|
|
|
|
|
|
