RE: Snort rules to detect malformed http scanning

["Ofer Shezaf" <OferS () Breach com>]

I think that to protect a web server, especially regarding any deviation
of from the HTTP protocol, you may get more from a dedicated web
intrusion detection system such as ModSecurity (www.modsecurity.org).

We have recently released a new core rule set for ModSecurity that
addresses such as malformed URIs and HTTP requests.

~ Ofer Shezaf
www.modsecurity.org
www.breach.com


> -----Original Message-----
> From: listbounce () securityfocus com
[mailto:listbounce () securityfocus com]
> On Behalf Of pathik () zimbio com
> Sent: Friday, October 27, 2006 2:02 AM
> To: focus-ids () securityfocus com
> Subject: Snort rules to detect malformed http scanning
>
> I would liek to add rule to my snort database which can block scanning
of
> malformed urls.
>
> We are runnning our website in CGI which eventually generated mix of
java
> script based HTml code.
>
> Few days back we are experiencing traffic from scanners and bots which
> scans our website for PHP files,which we don't have.
>
> I would like to block IP addresses of this types of scan genration.
------------------------------------------------------------------------
> Test Your IDS
>
> Is your IDS deployed correctly?
> Find out quickly and easily by testing it
> with real-world attacks from CORE IMPACT.
> Go to
http://www.coresecurity.com/index.php5?module=Form&action=impact&campaig
n=
> intro_sfw
> to learn more.
------------------------------------------------------------------------


------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it
with real-world attacks from CORE IMPACT.
Go to http://www.coresecurity.com/index.php5?module=Form&action=impact&campaign=intro_sfw
to learn more.
------------------------------------------------------------------------