[Snort-sigs] Crusoe Researches offer new rule for detecting Safari Windows file: DoS

Ureleet ureleet at ...2420...
Thu Apr 24 17:37:35 EDT 2008


this rule wont work.  if i remember correctly, i dont think you want ur
destination variable as http_servers...

On Tue, Apr 22, 2008 at 7:07 AM, rmkml <rmkml at ...324...> wrote:

> Hi,
>
> Crusoe Researches offering a new rule for detecting Safari Windows DoS:
>  http://www.Crusoe-Researches.com/en/safariwindowsfiledos.txt
>
> Credits:
> Crusoe Researches
> http://www.Crusoe-Researches.com
> contact at ...3281...
> => Crusoe Researches have more than 2806 UNIQ 'snort' rules for Commercial
> Access
>         (Contact me directly if you are interested)
>
> Crusoe Researches support Bro idps v1.3.25 project format rules
> (http://www.bro-ids.org/):
> signature sid-92806 {
>   ip-proto == tcp
>   event "WEB-CLIENT Safari file:// and % attempt"
>   tcp-state established,responder
>   http-body /.*[^a-zA-Z0-9][fF][iI][lL][eE]\:\/\/(.){0,2}\%/
>   }
>
>
> Azwalaro new nidps open source project (WireShark based)
>  http://www.Crusoe-Researches.com/azwalaro/
>  azwalaro at ...3281...
>  http matches "(?i)[^a-z0-9]file://(.){0,2}%"
>
> Regards
> Rmkml
> Crusoe-Researches.com
>
> -------------------------------------------------------------------------
> This SF.net email is sponsored by the 2008 JavaOne(SM) Conference
> Don't miss this year's exciting event. There's still time to save $100.
> Use priority code J8TL2D2.
>
> http://ad.doubleclick.net/clk;198757673;13503038;p?http://java.sun.com/javaone
> _______________________________________________
> Snort-sigs mailing list
> Snort-sigs at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/snort-sigs
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-sigs/attachments/20080424/c9bc157e/attachment.html>


More information about the Snort-sigs mailing list