[Snort-sigs] new rule for detect web "=+" (generic + after =) attempt
rmkml at ...324...
Wed Dec 14 02:09:01 EST 2005
please check and maybe add this new rule :
web-misc.rules:alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS
(msg:"WEB-MISC generic cmd + after = attempt";
flow:to_server,established; uricontent:"|3D 2B|"; classtype:web-application-attack; )
this rules send event if on your uri, you have '=+' !
Improve/comments are welcome.
More information about the Snort-sigs