Re: quick sanity check please?

[Y M <snort () outlook com>]

Shouldn't there be \s after the  \x3a ?

Content-Length\x3a\s[0-9]{8}

I would also add content modifiers
________________________________
From: Jamie Riden<mailto:jamie.riden () gmail com>
Sent: ‎11/‎15/‎2013 3:51 PM
To: Snort Sigs<mailto:snort-sigs () lists sourceforge net>
Subject: [Snort-sigs] quick sanity check please?

Have a client experiencing a DDoS via POST requests at the moment, and
have hacked up the following, which do match the offending packets
they're seeing, but I've got no "known good" traffic to check for FPs.

Can anyone see anything majorly dumb about this, before it gets loaded
onto the production firewall ? :)

# check for packets with POST, and Referer: but not a sensible one
alert tcp any any -> any 80 (msg:"POST with bad referer";
content:"POST"; content:"Referer|3A| "; within:256; content:!".co.uk";
within:48; sid:12009099; rev:1;)

#check for POSTs without Referer
alert tcp any any -> any 80 (msg:"POST with no referer";
content:"POST"; content:!"Referer|3A| "; within:256; sid:12009098;
rev:1;)

 #check for Content-Length of >10,000,000
alert tcp any any -> any 80 (msg:"POST with silly content-length";
content:"POST";  pcre:"/Content-Length\x3a
[0-9][0-9][0-9][0-9][0-9][0-9][0-9][0-9]/"; sid:12009097; rev:1;)

(I know the matches could be a lot tighter than they are...)

Cheers,
 Jamie
--
Jamie Riden / jamie () honeynet org / jamie.riden () gmail com
http://uk.linkedin.com/in/jamieriden

------------------------------------------------------------------------------
DreamFactory - Open Source REST & JSON Services for HTML5 & Native Apps
OAuth, Users, Roles, SQL, NoSQL, BLOB Storage and External API Access
Free app hosting. Or install the open source package on any LAMP server.
Sign up and see examples for AngularJS, jQuery, Sencha Touch and Native!
http://pubads.g.doubleclick.net/gampad/clk?id=63469471&iu=/4140/ostg.clktrk
_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-sigs
http://www.snort.org


Please visit http://blog.snort.org for the latest news about Snort!

------------------------------------------------------------------------------
DreamFactory - Open Source REST & JSON Services for HTML5 & Native Apps
OAuth, Users, Roles, SQL, NoSQL, BLOB Storage and External API Access
Free app hosting. Or install the open source package on any LAMP server.
Sign up and see examples for AngularJS, jQuery, Sencha Touch and Native!
http://pubads.g.doubleclick.net/gampad/clk?id=63469471&iu=/4140/ostg.clktrk

_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-sigs
http://www.snort.org


Please visit http://blog.snort.org for the latest news about Snort!