[Snort-sigs] RE: Apache Proxy

Hudak, Tyler Tyler.Hudak at ...2959...
Fri Jan 14 09:26:13 EST 2005


DOH!  Sorry about that all.

> -----Original Message-----
> From: Paul Schmehl [mailto:pauls at ...1311...] 
> Sent: Friday, January 14, 2005 11:18 AM
> To: Hudak, Tyler; 'snort-sigs at lists.sourceforge.net'; 
> 'hoga4008 at ...2957...'
> Subject: Re: [Snort-sigs] RE: Apache Proxy
> 
> 
> --On Friday, January 14, 2005 08:35:33 AM -0500 "Hudak, Tyler" 
> <Tyler.Hudak at ...2959...> wrote:
> 
> >
> > If you are going to do rules for GET and HEAD, don't forget 
> to include
> > POST and CONNECT!
> >
> > alert tcp any any -> $HTTP_SERVERS $HTTP_PORTS (msg:"Proxy 
> POST Request";
> > flow:to_server,established; content:"POST http\://"; 
> depth:12; nocase;
> > classtype:bad-unknown; sid:1000002; rev:1;)
> >
> > alert tcp any any -> $HTTP_SERVERS $HTTP_PORTS (msg:"Proxy CONNECT
> > Request"; flow:to_server,established; content:"CONNECT "; depth:8;
> > nocase; classtype:bad-unknown; sid:1000003; rev:1;)
> >
> FYI, you're missing the semi-colon after the SID.  This is a 
> fatal error 
> that will prevent snort from running.
> 
> Paul Schmehl (pauls at ...1311...)
> Adjunct Information Security Officer
> The University of Texas at Dallas
> AVIEN Founding Member
> http://www.utdallas.edu
> 
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-sigs/attachments/20050114/7163a5ce/attachment.html>


More information about the Snort-sigs mailing list