Re: Lots of FP's on sid:16214

[rmkml <rmkml () yahoo fr>]

Hi Eoin,
Maybe simply add "/" after "HTTP"? (because it's a http response code)
Regards
Rmkml


On Sat, 14 May 2011, Eoin Miller wrote:

> Rule:
> alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DOS Squid
> Proxy invalid HTTP response code denial of service attempt";
> flow:to_client,established; content:"-100"; fast_pattern:only;
> content:"HTTP"; offset:0; nocase; pcre:"/^HTTP[^\n]+\x2D100/i";
> metadata:policy balanced-ips drop, policy security-ips drop, service
> http; reference:bugtraq,35812; reference:cve,2009-2622;
> classtype:denial-of-service; sid:16214; rev:3;)
>
> This one fires off way too many times when webservers just return URI's
> in the HTML body that have these patterns in the query string. Shouldn't
> this be taking advantage of the http_inspect preprocessor and narrowing
> this search to the http_header instead of every frame coming back from
> the net? It think that small change would fix it.
>
> ASCII packet that fires it:
> http://secure-us
> .imrworldwide.co
> m/cgi-bin/m?cc=1
> &ci=us-10042
> 9&c6=vc,c05&
> amp;tl=dav0-${vi
> deo.id}%20/%20${
> video.headline}&
> amp;cg=${video.f
> ranchise}&rn
> d=${random}"/>.
> </video_repla
> y>. <video_co
> mplete>.
> <param name="pin
> g" value="http:/
> /secure-us.imrwo
> rldwide.com/cgi-
> bin/m?cc=1&amp;c
> i=us-100429&amp;
> c6=vc,c05&amp;tl
> =dav2-${video.id
> }%20/%20${video.
> headline}&amp;cg
> =${video.franchi
> se}&amp;rnd=${ra
> ndom}"/>. </v
> ideo_complete>.<
> /pings>..<!--..
>    3. CONFIGURAB
> LE FUNCTIONALITY
> : PLAYER INSTANC
> ES.    ---------
> ----------------
> ----------------
> ----------------
> --------------.
>    This is where
>  we configure ea
> ch player instan
> ce with override
>  parameters for
> each..    Ideall
> y the player to
> use is just a Fl
> ashparam in the
> embed code...-->
> ..<!-- FREEWHEEL
>  TEST ADS PLAYER
>  INSTANCES -->.
> <!-- FREEWHEEL "
> Main" Player Ins
> tance -->.<playe
> r name="fw_maing
> tv">. <pa
> ram name="low_bi
> trate" value="30
> 0" />. <p
> aram name="high_
> bitrate" value="
> 300" />.
> <param name="aut
> ostart" value="o
> n" />. <p
> aram name="width
> " value="696" />
> . <param
> name="height" va
> lue="388" />.
> <param na
> me="aspect_adjus
> t" value="auto"
> />.. <ad_s
> erver type="FREE
> WHEEL">.
> <param name=
> "ad_api" value="
> http://i.cdn.tur
> ner.com/xslo/cvp
> /ads/freewheel/b
> undles/1/AdManag
> er.swf"/>.
> <param nam
> e="ad_server_roo
> t_url" value="ht
> tp://BEA4.v.fwmr
> m.net"/>.
> <param name
> ="ad_section" va
> lue="" />.
> <param nam
> e="a
>
> -- Eoin
>
> ------------------------------------------------------------------------------
> Achieve unprecedented app performance and reliability
> What every C/C++ and Fortran developer should know.
> Learn how Intel has extended the reach of its next-generation tools
> to help boost performance applications - inlcuding clusters.
> http://p.sf.net/sfu/intel-dev2devmay
> _______________________________________________
> Snort-users mailing list
> Snort-users () lists sourceforge net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users

------------------------------------------------------------------------------
Achieve unprecedented app performance and reliability
What every C/C++ and Fortran developer should know.
Learn how Intel has extended the reach of its next-generation tools
to help boost performance applications - inlcuding clusters.
http://p.sf.net/sfu/intel-dev2devmay
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users