[Snort-sigs] Suggestions for new attack response rules

Brian bmc at ...95...
Wed Dec 1 13:02:04 EST 2004


On Wed, Dec 01, 2004 at 03:51:25PM -0500, Joe Patterson wrote:
> alert tcp any $HTTP_PORTS -> any any (msg:"ATTACK-RESPONSES  User attack OK
> response"; flow:from_server,established; pcre:"/^HTTP/1.1 (2|3)\d\d/";
> flowbits:isset,http-user-attack; classtype:successful-user;)

Yes, I've thought about this for a long time.  Its not anywhere near
as simple as you suggest.

Look at how nessus handles error codes.  MANY websites no longer use
200s for "good", and 300s & 400s for various errors, they use 200s for
EVERYTHING.

Sure, you might get a good feeling for the one or two sites you are
looking at for reducing false positives.  In the rest of the world,
just looking at HTTP codes is NOT enough.

Brian




More information about the Snort-sigs mailing list