[Snort-sigs] RE: Apache Proxy

Paul Schmehl pauls at ...1311...
Fri Jan 14 08:18:07 EST 2005

--On Friday, January 14, 2005 08:35:33 AM -0500 "Hudak, Tyler" 
<Tyler.Hudak at ...2959...> wrote:

> If you are going to do rules for GET and HEAD, don't forget to include
> alert tcp any any -> $HTTP_SERVERS $HTTP_PORTS (msg:"Proxy POST Request";
> flow:to_server,established; content:"POST http\://"; depth:12; nocase;
> classtype:bad-unknown; sid:1000002; rev:1;)
> alert tcp any any -> $HTTP_SERVERS $HTTP_PORTS (msg:"Proxy CONNECT
> Request"; flow:to_server,established; content:"CONNECT "; depth:8;
> nocase; classtype:bad-unknown; sid:1000003; rev:1;)
FYI, you're missing the semi-colon after the SID.  This is a fatal error 
that will prevent snort from running.

Paul Schmehl (pauls at ...1311...)
Adjunct Information Security Officer
The University of Texas at Dallas
AVIEN Founding Member

More information about the Snort-sigs mailing list