[Snort-sigs] new rule for detect web "=+" (generic + after =) attempt
raz.fs.arg at ...1894...
Wed Dec 14 03:22:13 EST 2005
On Wed, 2005-12-14 at 10:08 +0100, rmkml wrote:
> web-misc.rules:alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS
> (msg:"WEB-MISC generic cmd + after = attempt";
> flow:to_server,established; uricontent:"|3D 2B|"; classtype:web-application-attack; )
> this rules send event if on your uri, you have '=+' !
> (http10/http11 ok)
Why would you classify this as an attack? Any web form that is submitted
via GET and with a field whose value starts with a space will match
this. Can you explain why this (and for that matter '=|') concerns you?
More information about the Snort-sigs