[Snort-sigs] quick sanity check please?

Y M snort at ...3751...
Fri Nov 15 08:21:21 EST 2013

Shouldn't there be \s after the  \x3a ?


I would also add content modifiers
From: Jamie Riden<mailto:jamie.riden at ...2420...>
Sent: ‎11/‎15/‎2013 3:51 PM
To: Snort Sigs<mailto:snort-sigs at lists.sourceforge.net>
Subject: [Snort-sigs] quick sanity check please?

Have a client experiencing a DDoS via POST requests at the moment, and
have hacked up the following, which do match the offending packets
they're seeing, but I've got no "known good" traffic to check for FPs.

Can anyone see anything majorly dumb about this, before it gets loaded
onto the production firewall ? :)

# check for packets with POST, and Referer: but not a sensible one
alert tcp any any -> any 80 (msg:"POST with bad referer";
content:"POST"; content:"Referer|3A| "; within:256; content:!".co.uk";
within:48; sid:12009099; rev:1;)

#check for POSTs without Referer
alert tcp any any -> any 80 (msg:"POST with no referer";
content:"POST"; content:!"Referer|3A| "; within:256; sid:12009098;

 #check for Content-Length of >10,000,000
alert tcp any any -> any 80 (msg:"POST with silly content-length";
content:"POST";  pcre:"/Content-Length\x3a
[0-9][0-9][0-9][0-9][0-9][0-9][0-9][0-9]/"; sid:12009097; rev:1;)

(I know the matches could be a lot tighter than they are...)

Jamie Riden / jamie at ...3509... / jamie.riden at ...2420...

DreamFactory - Open Source REST & JSON Services for HTML5 & Native Apps
OAuth, Users, Roles, SQL, NoSQL, BLOB Storage and External API Access
Free app hosting. Or install the open source package on any LAMP server.
Sign up and see examples for AngularJS, jQuery, Sencha Touch and Native!
Snort-sigs mailing list
Snort-sigs at lists.sourceforge.net

Please visit http://blog.snort.org for the latest news about Snort!
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-sigs/attachments/20131115/6b196b0f/attachment.html>

More information about the Snort-sigs mailing list