[Snort-sigs] [Snort-Sigs] sid 17652 possible typo

rmkml rmkml at ...324...
Mon Mar 14 06:38:10 EDT 2011


Hi Matan,
no typo, because it's a http_uri normalizing.
Regards
Rmkml


On Mon, 14 Mar 2011, matan monitz wrote:

> alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"WEB-MISC
> Microsoft IIS source code disclosure attempt";
> flow:to_server,established; content:"http|3A 2F|localhost"; nocase;
> http_uri; metadata:policy security-ips drop, service http;
> reference:cve,2005-2678; reference:url,secunia.com/advisories/16548;
> classtype:misc-attack; sid:17652; rev:3;)
>
> i think this should be "http|3A 2F 2F|localhost"?




More information about the Snort-sigs mailing list