[Snort-sigs] RE: Apache Proxy

Paul Schmehl pauls at ...1311...
Fri Jan 14 08:18:07 EST 2005


--On Friday, January 14, 2005 08:35:33 AM -0500 "Hudak, Tyler" 
<Tyler.Hudak at ...2959...> wrote:

>
> If you are going to do rules for GET and HEAD, don't forget to include
> POST and CONNECT!
>
> alert tcp any any -> $HTTP_SERVERS $HTTP_PORTS (msg:"Proxy POST Request";
> flow:to_server,established; content:"POST http\://"; depth:12; nocase;
> classtype:bad-unknown; sid:1000002; rev:1;)
>
> alert tcp any any -> $HTTP_SERVERS $HTTP_PORTS (msg:"Proxy CONNECT
> Request"; flow:to_server,established; content:"CONNECT "; depth:8;
> nocase; classtype:bad-unknown; sid:1000003; rev:1;)
>
FYI, you're missing the semi-colon after the SID.  This is a fatal error 
that will prevent snort from running.

Paul Schmehl (pauls at ...1311...)
Adjunct Information Security Officer
The University of Texas at Dallas
AVIEN Founding Member
http://www.utdallas.edu




More information about the Snort-sigs mailing list