[Snort-users] SSL worm sigs

Shane Williams shanew at ...5387...
Mon Sep 16 10:01:10 EDT 2002


-----BEGIN PGP SIGNED MESSAGE-----

On Sun, 15 Sep 2002, Brian Caswell wrote:

> alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"EXPERIMENTAL WEB-MISC bad HTTP/1.1 request, potentual worm attack"; flow:to_server,established; content:"GET / HTTP/1.1|0a 0d 0a 0d|";  offset:0; depth:18; reference:url,securityresponse.symantec.com/avcenter/security/Content/2002.09.13.html; classtype:web-application-activity; sid:1881; rev:1;)

Wow, you were near right on with that.

Just change the content:"GET / HTTP/1.1|0a 0d 0a 0d|";
to
content:"GET / HTTP/1.1|0d 0a 0d 0a|";

I've checked this and it works.

- -- 
Public key #7BBC68D9 at            |                 Shane Williams
http://pgp.mit.edu/                | Systems Administrator UT-GSLIS
=----------------------------------+-------------------------------
All syllogisms contain three lines |        shanew at ...6911...
Therefore this is not a syllogism  |   www.gslis.utexas.edu/~shanew

-----BEGIN PGP SIGNATURE-----
Version: 2.6.2

iQCVAwUBPYYORma83yV7vGjZAQEBcwP/SbVu04/ddhU28NEfC0qqaA/Y3O9IwrVD
bcUcpqkHg5I38IcBWU4P26r6ovBTXtDmfoIhUJOV1WbsE0h139H8WIxVT1DtrFKe
OTXLCE+S9JIMQCAYsBBvveo1Y1LU2GNQaBI58cBaLoUUYYfhDxU28V93fpFKa9pR
CdN7Lid6Qn0=
=hM8G
-----END PGP SIGNATURE-----





More information about the Snort-users mailing list