[Snort-sigs] RE: Apache Proxy

Hudak, Tyler Tyler.Hudak at ...2959...
Fri Jan 14 05:36:07 EST 2005


If you are going to do rules for GET and HEAD, don't forget to include POST
and CONNECT!

alert tcp any any -> $HTTP_SERVERS $HTTP_PORTS (msg:"Proxy POST Request";
flow:to_server,established; content:"POST http\://"; depth:12; nocase;
classtype:bad-unknown; sid:1000002; rev:1;)

alert tcp any any -> $HTTP_SERVERS $HTTP_PORTS (msg:"Proxy CONNECT Request";
flow:to_server,established; content:"CONNECT "; depth:8; nocase;
classtype:bad-unknown; sid:1000003; rev:1;)

Tyler
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-sigs/attachments/20050114/9947ef08/attachment.html>


More information about the Snort-sigs mailing list