[Snort-sigs] Suggestions for new attack response rules
bmc at ...95...
Sat Dec 4 11:55:00 EST 2004
On Dec 3, 2004, at 4:36 PM, Jason wrote:
> assuming the 200 OK response is the only possible response and that
> the request is not pipelined or chained on some other way like at the
> end of a keep-alive session...
Not that you will here this very often, but I 100% agree with Jason.
This isn't a matter of performance. This is a matter of right and
Not only will you get a ton of false negatives, you can get a ton of
false positive "you got owned" alerts. It would be rather trivial to
convert a simple CGI scan into a "Oh god, the world is falling"
Let me reiterate, the idea is a nice one. However, in practice, its
not as simple as adding a few flowbits.
More information about the Snort-sigs