[Snort-sigs] SID 1156 change recommendation

Kevin Peuhkurinen kevin.peuhkurinen at ...1555...
Tue Jun 10 07:12:06 EDT 2003


alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC 
apache DOS attempt"; flow:to_server,established; 
content:"|2f2f2f2f2f2f2f2f|"; classtype:attempted-dos; sid:1156; rev:4;)

This sig appears to detect the attack described here - 
http://www.securityfocus.com/archive/1/8310

If so, shouldn't it be looking for uricontent in specific rather than 
just content?






More information about the Snort-sigs mailing list