[Snort-sigs] new rule for detect web "=+" (generic + after =) attempt

rmkml rmkml at ...324...
Wed Dec 14 02:09:01 EST 2005


Hi,

please check and maybe add this new rule :

web-misc.rules:alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS 
(msg:"WEB-MISC generic cmd + after = attempt"; 
flow:to_server,established; uricontent:"|3D 2B|"; classtype:web-application-attack; )

this rules send event if on your uri, you have '=+' !
(http10/http11 ok)

Improve/comments are welcome.

Regards
Rmkml




More information about the Snort-sigs mailing list