[Snort-sigs] RE: Apache Proxy
pauls at ...1311...
Fri Jan 14 08:18:07 EST 2005
--On Friday, January 14, 2005 08:35:33 AM -0500 "Hudak, Tyler"
<Tyler.Hudak at ...2959...> wrote:
> If you are going to do rules for GET and HEAD, don't forget to include
> POST and CONNECT!
> alert tcp any any -> $HTTP_SERVERS $HTTP_PORTS (msg:"Proxy POST Request";
> flow:to_server,established; content:"POST http\://"; depth:12; nocase;
> classtype:bad-unknown; sid:1000002; rev:1;)
> alert tcp any any -> $HTTP_SERVERS $HTTP_PORTS (msg:"Proxy CONNECT
> Request"; flow:to_server,established; content:"CONNECT "; depth:8;
> nocase; classtype:bad-unknown; sid:1000003; rev:1;)
FYI, you're missing the semi-colon after the SID. This is a fatal error
that will prevent snort from running.
Paul Schmehl (pauls at ...1311...)
Adjunct Information Security Officer
The University of Texas at Dallas
AVIEN Founding Member
More information about the Snort-sigs