[Snort-sigs] RE: Apache Proxy

Matt Jonkman matt at ...2436...
Fri Jan 14 06:15:18 EST 2005


Good point. These are posted as well.

Matt

Hudak, Tyler wrote:

> If you are going to do rules for GET and HEAD, don't forget to include 
> POST and CONNECT!
>
> alert tcp any any -> $HTTP_SERVERS $HTTP_PORTS (msg:"Proxy POST 
> Request"; flow:to_server,established; content:"POST http\://"; 
> depth:12; nocase; classtype:bad-unknown; sid:1000002; rev:1;)
>
> alert tcp any any -> $HTTP_SERVERS $HTTP_PORTS (msg:"Proxy CONNECT 
> Request"; flow:to_server,established; content:"CONNECT "; depth:8; 
> nocase; classtype:bad-unknown; sid:1000003; rev:1;)
>
> Tyler
>





More information about the Snort-sigs mailing list