[Snort-sigs] new rule for detect iis DoS via ~

Frank Knobbe frank at ...1978...
Mon Dec 19 06:27:01 EST 2005


On Sun, 2005-12-18 at 10:46 +0100, rmkml wrote:
> web-iis.rules:alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS 
> (msg:"WEB-IIS Dos ~ attempt"; flow:to_server,established; uricontent:"~"; 
> pcre:"/~\d/"; classtype:web-application-activity; )

That will probably trigger a lot of false positives.
(i.e. ...blogthis.php?id=~2234&user=me)

How about uricontent:".dll"; pcre:"/~\d/U"; ? That was you at least
confine FP's to any .dll based URLs.

Regards,
Frank

-- 
It is said that the Internet is a public utility. As such, it is best
compared to a sewer. A big, fat pipe with a bunch of crap sloshing
against your ports.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 187 bytes
Desc: This is a digitally signed message part
URL: <https://lists.snort.org/pipermail/snort-sigs/attachments/20051219/104b45de/attachment.sig>


More information about the Snort-sigs mailing list