[Snort-sigs] quick sanity check please?

Jamie Riden jamie.riden at ...2420...
Fri Nov 15 07:51:00 EST 2013

Have a client experiencing a DDoS via POST requests at the moment, and
have hacked up the following, which do match the offending packets
they're seeing, but I've got no "known good" traffic to check for FPs.

Can anyone see anything majorly dumb about this, before it gets loaded
onto the production firewall ? :)

# check for packets with POST, and Referer: but not a sensible one
alert tcp any any -> any 80 (msg:"POST with bad referer";
content:"POST"; content:"Referer|3A| "; within:256; content:!".co.uk";
within:48; sid:12009099; rev:1;)

#check for POSTs without Referer
alert tcp any any -> any 80 (msg:"POST with no referer";
content:"POST"; content:!"Referer|3A| "; within:256; sid:12009098;

 #check for Content-Length of >10,000,000
alert tcp any any -> any 80 (msg:"POST with silly content-length";
content:"POST";  pcre:"/Content-Length\x3a
[0-9][0-9][0-9][0-9][0-9][0-9][0-9][0-9]/"; sid:12009097; rev:1;)

(I know the matches could be a lot tighter than they are...)

Jamie Riden / jamie at ...3509... / jamie.riden at ...2420...

More information about the Snort-sigs mailing list