[Snort-sigs] new rule for detect iis DoS via ~
rmkml at ...324...
Sun Dec 18 01:48:01 EST 2005
please check and maybe add this new rule :
web-iis.rules:alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS
(msg:"WEB-IIS Dos ~ attempt"; flow:to_server,established; uricontent:"~";
pcre:"/~\d/"; classtype:web-application-activity; )
reference is :
(impact only iis v5.1).
Improve/comments are welcome.
More information about the Snort-sigs