[Snort-sigs] http connect (cacheflow)

Erik Fichtner emf at ...4...
Wed May 1 09:03:27 EDT 2002


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On Wed, May 01, 2002 at 08:05:35AM -0500, Noller, Gregory wrote:
> http://online.securityfocus.com/archive/1/257229
> 
> Does anyone know of a rule for this vulnerability?  Snort 1.8.3.

Off the top of my head....


alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 80 (flags: A+; content: "CONNECT "; nocase; content: "HTTP/"; nocase; msg: "HTTP CONNECT attempt";)
alert tcp $HTTP_SERVERS 80 -> $EXTERNAL_NET any (flags: A+; content: "200 Connection established"; nocase; msg: "HTTP CONNECT access successful";)

server port may vary.  You might want to just "any" it if you've got spare CPU.

- -- 
Erik Fichtner
Security Administrator, ServerVault, Inc.
703-652-5900
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (FreeBSD)
Comment: For info see http://www.gnupg.org

iD8DBQE80BGVQ7EzrewLMS0RAplRAJ9wod79PnO1NTleXtIiPLC3oNRmqwCePOB3
e0n4mnyyspJXCmYNqG72Q7Y=
=e3Gn
-----END PGP SIGNATURE-----




More information about the Snort-sigs mailing list