[Snort-sigs] new rule for detect web "=+" (generic + after =) attempt

Roland Turner raz.fs.arg at ...1894...
Wed Dec 14 03:22:13 EST 2005


On Wed, 2005-12-14 at 10:08 +0100, rmkml wrote:

> web-misc.rules:alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS 
> (msg:"WEB-MISC generic cmd + after = attempt"; 
> flow:to_server,established; uricontent:"|3D 2B|"; classtype:web-application-attack; )
> 
> this rules send event if on your uri, you have '=+' !
> (http10/http11 ok)

Why would you classify this as an attack? Any web form that is submitted
via GET and with a field whose value starts with a space will match
this. Can you explain why this (and for that matter '=|') concerns you?

- Raz





More information about the Snort-sigs mailing list