[Snort-sigs] new rule for detect iis DoS via ~

rmkml rmkml at ...324...
Sun Dec 18 01:48:01 EST 2005


Hi,

please check and maybe add this new rule :

web-iis.rules:alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS 
(msg:"WEB-IIS Dos ~ attempt"; flow:to_server,established; uricontent:"~"; 
pcre:"/~\d/"; classtype:web-application-activity; )

reference is :
  http://ingehenriksen.blogspot.com/
(impact only iis v5.1).

Improve/comments are welcome.

Regards
Rmkml




More information about the Snort-sigs mailing list