Hello everyone,
since a few days I get alerts on this SID:
2012870 - ET POLICY HTTP Outbound Request contains pw
Today the rule for me contains this:
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY HTTP Outbound Request contains pw"; flow:established,to_server; content:"|0d 0a|"; nocase; http_header; classtype:policy-violation; sid:2012870; rev:3; metadata:created_at 2011_05_26, former_category POLICY, confidence Low, signature_severity Informational, updated_at 2023_12_12;)
I did a packet capture:
0000 47 45 54 20 2f 6f 6e 6c 69 6e 65 2e 74 78 74 20 GET /online.txt
0010 48 54 54 50 2f 31 2e 31 0d 0a 48 6f 73 74 3a 20 HTTP/1.1..Host:
0020 63 68 65 63 6b 6f 6e 6c 69 6e 65 2e 68 6f 6d 65 checkonline.home
0030 2d 61 73 73 69 73 74 61 6e 74 2e 69 6f 0d 0a 41 -assistant.io..A
0040 63 63 65 70 74 3a 20 2a 2f 2a 0d 0a 43 6f 6e 6e ccept: */*..Conn
0050 65 63 74 69 6f 6e 3a 20 63 6c 6f 73 65 0d 0a 0d ection: close...
0060 0a .
You see " 0d 0a " in the second line. This is a \r\n so I think we have a false positive/misconfiguration in this rule.
Be kind to me, it’s my first time at ET community.