[Snort-sigs] False positive - sid 1365

Mark Tombaugh mtombaugh at ...3026...
Fri Mar 18 13:03:50 EST 2005


On Friday 18 March 2005 15:15, Paul Schmehl wrote:
> For 1365 - pcre:"[\/\s;\?\|]?rm\s";

or perhaps
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"WEB-ATTACKS rm 
command attempt"; flow:to_server,established; pcre:"/(\||\?|\/|\;|=|\040|
%20)rm(\040|%20)/"; classtype:web-application-attack; sid:1365; rev:5;)

-- 
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Mark Tombaugh mtombaugh at ...3026... Allied Computer Corporation
Research Triangle Park http://www.alliedcc.com tel:(919)598-8900
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~




More information about the Snort-sigs mailing list