[Snort-sigs] Apache Proxy

Matt Jonkman matt at ...2436...
Thu Jan 13 17:44:23 EST 2005

That would be very interesting to see. I'll post these on bleedingsnort 
if you don't mind.

Thanks for sending them in.


Adam Hogan wrote:

>I used the following signatures after discovering a
>mis-configured Apache server allowing unlimited proxy requests
>to help track down a couple more.  From a research/curiousity
>perspective it also gives me the site the attempted-proxy-user
>was trying to reach, which has been interesting.
>alert tcp any any -> $HTTP_SERVERS $HTTP_PORTS (msg:"Proxy GET
>Request"; flow:to_server,established; content:"GET http\://";
>depth:11; nocase; classtype:bad-unknown; sid:1000000; rev:1;)
>alert tcp any any -> $HTTP_SERVERS $HTTP_PORTS (msg:"Proxy
>HEAD Request"; flow:to_server,established; content:"HEAD
>http\://"; depth:12; nocase; classtype:bad-unknown;
>sid:1000001; rev:1;)
>The SF.Net email is sponsored by: Beat the post-holiday blues
>Get a FREE limited edition SourceForge.net t-shirt from ThinkGeek.
>It's fun and FREE -- well, almost....http://www.thinkgeek.com/sfshirt
>Snort-sigs mailing list
>Snort-sigs at lists.sourceforge.net

Matthew Jonkman, CISSP
Senior Security Engineer
765-429-0398 Direct Anytime
765-448-6847 Office
866-679-5177 24x7 NOC

NOTICE: The information contained in this email is confidential 
and intended solely for the intended recipient. Any use, 
distribution, transmittal or retransmittal of information 
contained in this email by persons who are not intended
recipients may be a violation of law and is strictly prohibited.  
If you are not the intended recipient, please contact the sender 
and delete all copies.

More information about the Snort-sigs mailing list