[Snort-sigs] New rule for detect Amap fingerprint (http)

rmkml rmkml at ...324...
Thu Oct 13 00:27:13 EDT 2005


Hi,

Please check and add this new rule :

web-attacks.rules:alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS 
(msg:"WEB-ATTACKS Amap fingerprint attempt"; flow:to_server,established; 
content:"|80 80 01 03 01|"; depth:5; offset:0; 
classtype:web-application-activity;)

THC-Amap : fast and reliable application fingerprint mapper
http://thc.org/thc-amap/

Regards
Rmkml




More information about the Snort-sigs mailing list