[Snort-sigs] Apache Proxy

Adam Hogan hoga4008 at ...2957...
Thu Jan 13 13:38:08 EST 2005


I used the following signatures after discovering a
mis-configured Apache server allowing unlimited proxy requests
to help track down a couple more.  From a research/curiousity
perspective it also gives me the site the attempted-proxy-user
was trying to reach, which has been interesting.

alert tcp any any -> $HTTP_SERVERS $HTTP_PORTS (msg:"Proxy GET
Request"; flow:to_server,established; content:"GET http\://";
depth:11; nocase; classtype:bad-unknown; sid:1000000; rev:1;)

alert tcp any any -> $HTTP_SERVERS $HTTP_PORTS (msg:"Proxy
HEAD Request"; flow:to_server,established; content:"HEAD
http\://"; depth:12; nocase; classtype:bad-unknown;
sid:1000001; rev:1;)

-Adam.





More information about the Snort-sigs mailing list