10-30-2001 09:40 PM - edited 03-08-2019 09:01 PM
Found 3217 triggered on 'referal' field in the HTTP request.
Example:
XXX.170.1.72 - - [29/Oct/2001:23:23:48 -0800] "GET /top.html HTTP/1.0" 200 876 "http://www.theitportal.com/ITPFrameSetBottom.asp?Comp=LifeSupportal.com&Path=http://www.lifesupportal.com/cgi-bin/php.cgi/jobsearch.php?" "Mozilla/4.0 (compatible; MSIE 5.0; Windows 98; DigExt)"
Is it the only signature in IDS 3.0 or any other HTTP signature will work in the same way?
11-02-2001 12:53 PM
Got the same situation with signature 5074:
XXX.XXX.XXX.XXX - - [02/Nov/2001:08:03:46 -0800] "GET / HTTP/1.1" 304 - "http://www.search123.com/cgi-bin/ksearch.cgi?AID=XXX&BRAND=&SESSION_ID=XXXXXXXX" "Mozilla/4.0 (compatible; MSIE 5.5; Windows 98; Win 9x 4.90)"
Anyway to tune HTTP-related signatures do not to look at referrer field?
11-02-2001 02:49 PM
False positive alarms from the referrer field is a known issue and is fixed in the 3.0(3) release which is now in the QA process. We have expanded the HTTP decoding facilities in this next service pack.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide