[Snort-sigs] web spam rules?
Hugo van der Kooij
hvdkooij at ...481...
Fri Mar 18 08:36:21 EST 2005
Has anyone done any work on webspam rules?
For those who have not heard of it:
webspam tries to put their fake referer fields in your top 10 referers so
their po../sc../... websites may get a hit or two more.
One can see them in the weblogs with examples like:
220.127.116.11 - - [01/Mar/2005:00:23:12 +0100] "GET http://viruspool.vanderkooij.org/webalizer/usage_200502.html HTTP/1.0" 200 113901 "http://gayarmy.djfuck.net/" "Mozilla/4.0 (compatible; MSIE 5.5; Windows 98; Win 9x 4.90)"
18.104.22.168 - - [01/Mar/2005:00:46:27 +0100] "HEAD / HTTP/1.0" 200 - "http://www.direktversicherung.servemp3.com" "Mozilla/5.0 (Windows; U; Windows NT 5.0; de-DE; rv:1.7) Gecko/20040626 Firefox/0.9.1"
I still get these hits while I have no referer information visible. So I
was hoping some snort rules would help me find the culprits and have their
ISPs slam the door in their face.
I hate duplicates. Just reply to the relevant mailinglist.
hvdkooij at ...481... http://hvdkooij.xs4all.nl/
Don't meddle in the affairs of magicians,
for they are subtle and quick to anger.
More information about the Snort-sigs