Snort.org home  
Got Source? About Snort About Sourcefire Snort FAQ
Sourcefire Network Security - the creators of Snort
Snort News Downloads Snort Docs Rules Snort Community Snort Forums Snort Training
Search Site
Search Rules
Account
email
password
not registered?
user preferences

Snort Forums Archive

Archive Home » Rules » False positive with rule SID 2441

Please note that the categories listed below represent an archived version of our forums pages. To view the current version and be able to post and reply to threads, please register and login here to go to the full forums pages.

[ Notice: Full Version of This Topic ]

False positive with rule SID 2441


Posted by ivocarv2 on April 05, 2005 04:55:50

This rule triggered 15 times while i was using openwebmail on my server. Seems like the "login=0" pattern is triggering the rule, but i don't know anything of netobserve to fix it.

Regards,

Ivo.

Rule:
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC NetObserve authentication bypass attempt"; flow:to_server,established; content:"login=0"; nocase; content:"Cookie|3A|"; nocase; pcre:"/^Cookie\x3a[^\n]*?login=0/smi"; reference:bugtraq,9319; classtype:web-application-attack; sid:2441; rev:3;)

packet that triggered rule:
14:20:50.231754 200.144.121.118.4028 > 192.188.11.224.80: P 528:919(391) ack 1489 win 65535 (DF)
0x0000 4500 01af 1e5c 4000 7706 d549 c890 7976 E....\@.w..I..yv
0x0010 c0bc 0be0 0fbc 0050 42fc 2d40 045c d34d .......PB.-@.\.M
0x0020 5018 ffff e0dc 0000 4745 5420 2f66 6973 P.......GET./fis
0x0030 682e 6a70 6720 4854 5450 2f31 2e31 0d0a h.jpg.HTTP/1.1..
0x0040 4163 6365 7074 3a20 2a2f 2a0d 0a52 6566 Accept:.*/*..Ref
0x0050 6572 6572 3a20 6874 7470 3a2f 2f77 7777 erer:.http://www
0x0060 2e70 6569 7869 6e68 6f2e 6f72 672f 0d0a .peixinho.org/..
0x0070 4163 6365 7074 2d4c 616e 6775 6167 653a Accept-Language:
0x0080 2070 742d 6272 0d0a 4163 6365 7074 2d45 .pt-br..Accept-E
0x0090 6e63 6f64 696e 673a 2067 7a69 702c 2064 ncoding:.gzip,.d
0x00a0 6566 6c61 7465 0d0a 5573 6572 2d41 6765 eflate..User-Age
0x00b0 6e74 3a20 4d6f 7a69 6c6c 612f 342e 3020 nt:.Mozilla/4.0.
0x00c0 2863 6f6d 7061 7469 626c 653b 204d 5349 (compatible;.MSI
0x00d0 4520 362e 303b 2057 696e 646f 7773 204e E.6.0;.Windows.N
0x00e0 5420 352e 313b 2053 5631 3b20 2e4e 4554 T.5.1;.SV1;..NET
0x00f0 2043 4c52 2031 2e30 2e33 3730 353b 202e .CLR.1.0.3705;..
0x0100 4e45 5420 434c 5220 312e 312e 3433 3232 NET.CLR.1.1.4322
0x0110 290d 0a48 6f73 743a 2077 7777 2e70 6569 )..Host:.www.pei
0x0120 7869 6e68 6f2e 6f72 670d 0a43 6f6e 6e65 xinho.org..Conne
0x0130 6374 696f 6e3a 204b 6565 702d 416c 6976 ction:.Keep-Aliv
0x0140 650d 0a43 6f6f 6b69 653a 206f 772d 6175 e..Cookie:.ow-au
0x0150 746f 6c6f 6769 6e3d 303b 206f 772d 6c6f tologin=0;.ow-lo
0x0160 6769 6e6e 616d 653d 6976 6f63 6172 763b ginname=ivocarv;
0x0170 206f 772d 6465 6661 756c 745f 6c6f 6769 .ow-default_logi
0x0180 6e64 6f6d 6169 6e3d 7777 772e 7065 6978 ndomain=www.peix
0x0190 696e 686f 2e6f 7267 3b20 6f77 2d68 7474 inho.org;.ow-htt
0x01a0 7063 6f6d 7072 6573 733d 310d 0a0d 0a pcompress=1....

Posted by nigel on April 05, 2005 09:32:31

If you aren't using NETObserve then you can probably disable the rule. You are correct, this is firing on the login=0 content found in a Cookie set by your openwebmail server.
site feedback | Terms of Use | Privacy Policy | forum archives ©2007 Snort and Sourcefire are registered trademarks of Sourcefire, Inc. All rights reserved.