[Snort-sigs] new rule for detect web "=|" (generic pipe after =) attempt
rmkml at ...324...
Wed Dec 14 00:49:01 EST 2005
please check and maybe add this new rule :
web-misc.rules:alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS
(msg:"WEB-MISC generic cmd pipe after = attempt"; flow:to_server,established;
uricontent:"|3D 7C|"; nocase; classtype:web-application-attack; )
this rules send event if on your uri, you have '=|' !
Improve/comments are welcome.
More information about the Snort-sigs