[Snort-sigs] quick sanity check please?

James Lay jlay at ...3266...
Fri Nov 15 08:01:17 EST 2013


Your last rule pcre could be:

[0-9]{7,8}

I think.

James
On Nov 15, 2013, at 5:51 AM, Jamie Riden <jamie.riden at ...2420...> wrote:

> Have a client experiencing a DDoS via POST requests at the moment, and
> have hacked up the following, which do match the offending packets
> they're seeing, but I've got no "known good" traffic to check for FPs.
> 
> Can anyone see anything majorly dumb about this, before it gets loaded
> onto the production firewall ? :)
> 
> # check for packets with POST, and Referer: but not a sensible one
> alert tcp any any -> any 80 (msg:"POST with bad referer";
> content:"POST"; content:"Referer|3A| "; within:256; content:!".co.uk";
> within:48; sid:12009099; rev:1;)
> 
> #check for POSTs without Referer
> alert tcp any any -> any 80 (msg:"POST with no referer";
> content:"POST"; content:!"Referer|3A| "; within:256; sid:12009098;
> rev:1;)
> 
> #check for Content-Length of >10,000,000
> alert tcp any any -> any 80 (msg:"POST with silly content-length";
> content:"POST";  pcre:"/Content-Length\x3a
> [0-9][0-9][0-9][0-9][0-9][0-9][0-9][0-9]/"; sid:12009097; rev:1;)
> 
> (I know the matches could be a lot tighter than they are...)
> 
> Cheers,
> Jamie
> -- 
> Jamie Riden / jamie at ...3509... / jamie.riden at ...2420...
> http://uk.linkedin.com/in/jamieriden
> 
> ------------------------------------------------------------------------------
> DreamFactory - Open Source REST & JSON Services for HTML5 & Native Apps
> OAuth, Users, Roles, SQL, NoSQL, BLOB Storage and External API Access
> Free app hosting. Or install the open source package on any LAMP server.
> Sign up and see examples for AngularJS, jQuery, Sencha Touch and Native!
> http://pubads.g.doubleclick.net/gampad/clk?id=63469471&iu=/4140/ostg.clktrk
> _______________________________________________
> Snort-sigs mailing list
> Snort-sigs at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/snort-sigs
> http://www.snort.org
> 
> 
> Please visit http://blog.snort.org for the latest news about Snort!

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 496 bytes
Desc: Message signed with OpenPGP using GPGMail
URL: <https://lists.snort.org/pipermail/snort-sigs/attachments/20131115/1cd857fc/attachment.sig>


More information about the Snort-sigs mailing list