IDS mailing list archives
Re: Snort rules to detect malformed http scanning
From: "Justin Heath" <justin.heath () gmail com>
Date: Mon, 30 Oct 2006 14:25:01 -0500
Resending in plaintext. On 10/30/06, Justin Heath <justin.heath () gmail com> wrote:
Because no web server deviate from the guidlines set by the RFC's. ;-) Seriously, to answer the orignal question take a look at the documentation for http_inspect (README.http_inspect, snort manual etc.). There are some options you can put to use such as non_strict, whitespace_chars, oversize_dir_length, webroot, non_rfc_char, multi_slash etc. You should be able to provide good coverage by tuning these options alone. Anything else can be handled by pcre/uricontent rules. Cheers, Justin On 10/29/06, Ofer Shezaf <OferS () breach com> wrote: > > > I think that to protect a web server, especially regarding any deviation > of from the HTTP protocol, you may get more from a dedicated web > intrusion detection system such as ModSecurity ( www.modsecurity.org). > > We have recently released a new core rule set for ModSecurity that > addresses such as malformed URIs and HTTP requests. > > ~ Ofer Shezaf > www.modsecurity.org > www.breach.com > > > > -----Original Message----- > > From: listbounce () securityfocus com > [mailto: listbounce () securityfocus com] > > On Behalf Of pathik () zimbio com > > Sent: Friday, October 27, 2006 2:02 AM > > To: focus-ids () securityfocus com > > Subject: Snort rules to detect malformed http scanning > > > > I would liek to add rule to my snort database which can block scanning > of > > malformed urls. > > > > We are runnning our website in CGI which eventually generated mix of > java > > script based HTml code. > > > > Few days back we are experiencing traffic from scanners and bots which > > scans our website for PHP files,which we don't have. > > > > I would like to block IP addresses of this types of scan genration. > > > > > ------------------------------------------------------------------------ > > Test Your IDS > > > > Is your IDS deployed correctly? > > Find out quickly and easily by testing it > > with real-world attacks from CORE IMPACT. > > Go to > > > http://www.coresecurity.com/index.php5?module=Form&action=impact&campaig > n= > > intro_sfw > > to learn more. > > > ------------------------------------------------------------------------ > > > ------------------------------------------------------------------------ > Test Your IDS > > Is your IDS deployed correctly? > Find out quickly and easily by testing it > with real-world attacks from CORE IMPACT. > Go to http://www.coresecurity.com/index.php5?module=Form&action=impact&campaign=intro_sfw > to learn more. > ------------------------------------------------------------------------ > >
------------------------------------------------------------------------ Test Your IDS Is your IDS deployed correctly?Find out quickly and easily by testing it with real-world attacks from CORE IMPACT. Go to http://www.coresecurity.com/index.php5?module=Form&action=impact&campaign=intro_sfw to learn more.
------------------------------------------------------------------------
Current thread:
- Snort rules to detect malformed http scanning pathik (Oct 27)
- <Possible follow-ups>
- RE: Snort rules to detect malformed http scanning Ofer Shezaf (Oct 30)
- Message not available
- Re: Snort rules to detect malformed http scanning Justin Heath (Oct 30)
- Message not available