Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
597
Views
0
Helpful
2
Replies

Sig. 3217 - false positive?

DSmirnov
Level 1
Level 1

‎10-30-2001 09:40 PM - edited ‎03-08-2019 09:01 PM

Found 3217 triggered on 'referal' field in the HTTP request.

Example:

XXX.170.1.72 - - [29/Oct/2001:23:23:48 -0800] "GET /top.html HTTP/1.0" 200 876 "http://www.theitportal.com/ITPFrameSetBottom.asp?Comp=LifeSupportal.com&Path=http://www.lifesupportal.com/cgi-bin/php.cgi/jobsearch.php?" "Mozilla/4.0 (compatible; MSIE 5.0; Windows 98; DigExt)"

Is it the only signature in IDS 3.0 or any other HTTP signature will work in the same way?

Labels:
0 Helpful
2 Replies 2

DSmirnov
Level 1
Level 1

‎11-02-2001 12:53 PM

Got the same situation with signature 5074:

XXX.XXX.XXX.XXX - - [02/Nov/2001:08:03:46 -0800] "GET / HTTP/1.1" 304 - "http://www.search123.com/cgi-bin/ksearch.cgi?AID=XXX&BRAND=&SESSION_ID=XXXXXXXX" "Mozilla/4.0 (compatible; MSIE 5.5; Windows 98; Win 9x 4.90)"

Anyway to tune HTTP-related signatures do not to look at referrer field?

0 Helpful

bkubesh
Level 1
Level 1
In response to DSmirnov

‎11-02-2001 02:49 PM

False positive alarms from the referrer field is a known issue and is fixed in the 3.0(3) release which is now in the QA process. We have expanded the HTTP decoding facilities in this next service pack.

0 Helpful
Customers Also Viewed These Support Documents