[Snort-sigs] TEST RULE for WhiteHat Security XST

Michael Scheidell scheidell at ...249...
Wed Jan 22 19:52:02 EST 2003


> 
> 
> I came up with this basic test rule:
> # XST TRACE test rule: www.whitehatsec.com/press_releases/WH-PR-20030120.txt*
> alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg: "XST TRACE 
> request"; content: "|54 52 41 43 45|"; sid: 10011; classtype: 
> web-application-activity; rev: 1;)

content:"TRACE"; offset:0; depth:6; should cut down on flase positives

> 
> I think using stuff like flow and uricontent it could read something like:
> alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (flow: 
> from_client; msg: "XST TRACE request"; uricontent: "TRACE"; sid: 10010; 
> reference: url,http://www.whitehatsec.com/press_releases/WH-PR-20030120.txt; 
> classtype: web-application-activity; rev: 1;)

I don't think TRACE is in a uri (which would normally follow a GET,
righr?)

reference should be

url,/www.whitehatsec.com/press_releases/WH-PR-20030120.txt

-- 
Michael Scheidell, CEO
SECNAP Network Security, LLC 
Sales: 866-SECNAPNET / (1-866-732-6276)
Main: 561-368-9561 / www.secnap.net
Looking for a career in Internet security?
http://www.secnap.net/employment/




More information about the Snort-sigs mailing list