[Snort-sigs] Suggestions for new attack response rules
bmc at ...95...
Wed Dec 1 13:02:04 EST 2004
On Wed, Dec 01, 2004 at 03:51:25PM -0500, Joe Patterson wrote:
> alert tcp any $HTTP_PORTS -> any any (msg:"ATTACK-RESPONSES User attack OK
> response"; flow:from_server,established; pcre:"/^HTTP/1.1 (2|3)\d\d/";
> flowbits:isset,http-user-attack; classtype:successful-user;)
Yes, I've thought about this for a long time. Its not anywhere near
as simple as you suggest.
Look at how nessus handles error codes. MANY websites no longer use
200s for "good", and 300s & 400s for various errors, they use 200s for
Sure, you might get a good feeling for the one or two sites you are
looking at for reducing false positives. In the rest of the world,
just looking at HTTP codes is NOT enough.
More information about the Snort-sigs