[Snort-sigs] Whisker Name clashes

Chris Green cmg at ...26...
Thu Jan 17 08:29:11 EST 2002

When reading alerts, in fast mode, distict messages are really nice to

Also add
url, http://www.wiretrip.net/rfp/pages/whitepapers/whiskerids.html  to
all of the alerts

(msg:"WEB-MISC whisker head"; content:"HEAD";
                             offset: 0; depth: 4;
                             nocase; dsize:>512;
                             flags:A+; classtype:attempted-recon;
                             sid:1171; rev:1;)

Change to "WEB-MISC whisker head with large datagram size")

(msg:"WEB-MISC whisker head";
     flags: A+;
     sid:1139; rev:1;)

Change to "WEB-MISC whisker HEAD/./"

(msg:"WEB-MISC whisker splice attack";
 content: "|20|";
 flags: A+; dsize:
 classtype:attempted-recon; sid:1104; rev:1;)

Change to "WEB-MISC whisker splice - packet with only space character"

(msg:"WEB-MISC whisker splice attack";
      dsize: <5;
      flags: A+;
      content: "|09|";
      classtype:attempted-recon; sid:1087; rev:1;)

Change to "WEB-MISC whisker splice - small packet with tab character"
Chris Green <cmg at ...26...>
Laugh and the world laughs with you, snore and you sleep alone.

More information about the Snort-sigs mailing list