[Snort-sigs] new rule for detect web "=|" (generic pipe after =) attempt

rmkml rmkml at ...324...
Wed Dec 14 00:49:01 EST 2005


please check and maybe add this new rule :

web-misc.rules:alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS 
(msg:"WEB-MISC generic cmd pipe after = attempt"; flow:to_server,established; 
uricontent:"|3D 7C|"; nocase; classtype:web-application-attack; )

this rules send event if on your uri, you have '=|' !
(http10/http11 ok)

Improve/comments are welcome.


More information about the Snort-sigs mailing list