[Snort-users] FYI - snort and the Apache ssl bug

Jeff Taylor jeff at ...6176...
Wed Sep 18 02:16:05 EDT 2002


What is the value of HTTP_PORTS?  80 or 443 or both?

TIA,
  Jeffrey

Quoting Allen Baranov <allen at ...5331...>:
> Hi,
> Follows is a snort signature for the Apache bug.
> 
> alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"EXPERIMENTAL 
> WEB-MISC bad HTTP/1.1 request, potentual worm attack"; 
> flow:to_server,established; content:"GET / HTTP/1.1|0d 0a 0d 0a|";  offset:0; 
> depth:18; 
> reference:url,securityresponse.symantec.com/avcenter/security/Content/2002.09.13.html; 
> classtype:web-application-activity; sid:1881; rev:1;)
> 
> Allen Baranov




More information about the Snort-users mailing list