[Snort-users] FYI - snort and the Apache ssl bug

Allen Baranov allen at ...5331...
Tue Sep 17 23:30:18 EDT 2002


Hi,
Follows is a snort signature for the Apache bug.

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"EXPERIMENTAL 
WEB-MISC bad HTTP/1.1 request, potentual worm attack"; 
flow:to_server,established; content:"GET / HTTP/1.1|0d 0a 0d 0a|";  offset:0; 
depth:18; 
reference:url,securityresponse.symantec.com/avcenter/security/Content/2002.09.13.html; 
classtype:web-application-activity; sid:1881; rev:1;)

Allen Baranov
-- 
Allen Baranov
 Information Security Architects (ISA)
 Tel: +27 (0) 11 326-2242
 Fax: +27 (0) 11 326-2285
 http://www.isa.co.za




More information about the Snort-users mailing list