Snort mailing list archives
Re: SSL worm sigs
From: Shane Williams <shanew () shanew net>
Date: Mon, 16 Sep 2002 12:00:49 -0500 (CDT)
-----BEGIN PGP SIGNED MESSAGE----- On Sun, 15 Sep 2002, Brian Caswell wrote:
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"EXPERIMENTAL WEB-MISC bad HTTP/1.1 request, potentual worm attack"; flow:to_server,established; content:"GET / HTTP/1.1|0a 0d 0a 0d|"; offset:0; depth:18; reference:url,securityresponse.symantec.com/avcenter/security/Content/2002.09.13.html; classtype:web-application-activity; sid:1881; rev:1;)
Wow, you were near right on with that. Just change the content:"GET / HTTP/1.1|0a 0d 0a 0d|"; to content:"GET / HTTP/1.1|0d 0a 0d 0a|"; I've checked this and it works. - -- Public key #7BBC68D9 at | Shane Williams http://pgp.mit.edu/ | Systems Administrator UT-GSLIS =----------------------------------+------------------------------- All syllogisms contain three lines | shanew () gslis utexas edu Therefore this is not a syllogism | www.gslis.utexas.edu/~shanew -----BEGIN PGP SIGNATURE----- Version: 2.6.2 iQCVAwUBPYYORma83yV7vGjZAQEBcwP/SbVu04/ddhU28NEfC0qqaA/Y3O9IwrVD bcUcpqkHg5I38IcBWU4P26r6ovBTXtDmfoIhUJOV1WbsE0h139H8WIxVT1DtrFKe OTXLCE+S9JIMQCAYsBBvveo1Y1LU2GNQaBI58cBaLoUUYYfhDxU28V93fpFKa9pR CdN7Lid6Qn0= =hM8G -----END PGP SIGNATURE----- ------------------------------------------------------- This sf.net email is sponsored by:ThinkGeek Welcome to geek heaven. http://thinkgeek.com/sf _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- SSL worm sigs Brian Caswell (Sep 15)
- Re: SSL worm sigs Tim Bogart (Sep 16)
- Re: SSL worm sigs Matt Kettler (Sep 16)
- Re: SSL worm sigs Shane Williams (Sep 16)
- <Possible follow-ups>
- Re: SSL worm sigs Shane Williams (Sep 16)
- Re: SSL worm sigs Tim Bogart (Sep 16)