[Snort-sigs] web spam rules?

Hugo van der Kooij hvdkooij at ...481...
Fri Mar 18 08:36:21 EST 2005


Hi,

Has anyone done any work on webspam rules?

For those who have not heard of it:

webspam tries to put their fake referer fields in your top 10 referers so
their po../sc../... websites may get a hit or two more.

One can see them in the weblogs with examples like:

69.50.191.130 - - [01/Mar/2005:00:23:12 +0100] "GET http://viruspool.vanderkooij.org/webalizer/usage_200502.html HTTP/1.0" 200 113901 "http://gayarmy.djfuck.net/" "Mozilla/4.0 (compatible; MSIE 5.5; Windows 98; Win 9x 4.90)"
80.190.249.69 - - [01/Mar/2005:00:46:27 +0100] "HEAD / HTTP/1.0" 200 - "http://www.direktversicherung.servemp3.com" "Mozilla/5.0 (Windows; U; Windows NT 5.0; de-DE; rv:1.7) Gecko/20040626 Firefox/0.9.1"

I still get these hits while I have no referer information visible. So I
was hoping some snort rules would help me find the culprits and have their
ISPs slam the door in their face.

Hugo.

-- 
	I hate duplicates. Just reply to the relevant mailinglist.
	hvdkooij at ...481...		http://hvdkooij.xs4all.nl/
		Don't meddle in the affairs of magicians,
		for they are subtle and quick to anger.




More information about the Snort-sigs mailing list