[Snort-sigs] quick sanity check please?

Y M snort at ...3751...
Fri Nov 15 08:21:21 EST 2013


Shouldn't there be \s after the  \x3a ?

Content-Length\x3a\s[0-9]{8}

I would also add content modifiers
________________________________
From: Jamie Riden<mailto:jamie.riden at ...2420...>
Sent: ‎11/‎15/‎2013 3:51 PM
To: Snort Sigs<mailto:snort-sigs at lists.sourceforge.net>
Subject: [Snort-sigs] quick sanity check please?

Have a client experiencing a DDoS via POST requests at the moment, and
have hacked up the following, which do match the offending packets
they're seeing, but I've got no "known good" traffic to check for FPs.

Can anyone see anything majorly dumb about this, before it gets loaded
onto the production firewall ? :)

# check for packets with POST, and Referer: but not a sensible one
alert tcp any any -> any 80 (msg:"POST with bad referer";
content:"POST"; content:"Referer|3A| "; within:256; content:!".co.uk";
within:48; sid:12009099; rev:1;)

#check for POSTs without Referer
alert tcp any any -> any 80 (msg:"POST with no referer";
content:"POST"; content:!"Referer|3A| "; within:256; sid:12009098;
rev:1;)

 #check for Content-Length of >10,000,000
alert tcp any any -> any 80 (msg:"POST with silly content-length";
content:"POST";  pcre:"/Content-Length\x3a
[0-9][0-9][0-9][0-9][0-9][0-9][0-9][0-9]/"; sid:12009097; rev:1;)

(I know the matches could be a lot tighter than they are...)

Cheers,
 Jamie
--
Jamie Riden / jamie at ...3509... / jamie.riden at ...2420...
http://uk.linkedin.com/in/jamieriden

------------------------------------------------------------------------------
DreamFactory - Open Source REST & JSON Services for HTML5 & Native Apps
OAuth, Users, Roles, SQL, NoSQL, BLOB Storage and External API Access
Free app hosting. Or install the open source package on any LAMP server.
Sign up and see examples for AngularJS, jQuery, Sencha Touch and Native!
http://pubads.g.doubleclick.net/gampad/clk?id=63469471&iu=/4140/ostg.clktrk
_______________________________________________
Snort-sigs mailing list
Snort-sigs at lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/snort-sigs
http://www.snort.org


Please visit http://blog.snort.org for the latest news about Snort!
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-sigs/attachments/20131115/6b196b0f/attachment.html>


More information about the Snort-sigs mailing list