Snort mailing list archives

Previous By Date Next
Previous By Thread Next

RE: Multiple CONTENT: rule

From: Frank Knobbe <FKnobbe () KnobbeITS com>
Date: Tue, 21 Aug 2001 19:07:24 -0500
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


-----Original Message-----
From: Ben Johansen [mailto:benj () intelisoft net]
Sent: Tuesday, August 21, 2001 6:07 PM



Ben,

how about:

pass tcp $EXTERNAL_NET any -> $HTTP_SERVERS 80 (msg:"WEB-CGI calendar
access";flags: A+; uricontent:"/calendar.html"; 
nocase; classtype:attempted-recon; sid:882; rev:1;)

followed by:

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 80 (msg:"WEB-CGI
calendar
access";flags: A+; uricontent:"/calendar"; nocase;
classtype:attempted-recon; sid:882; rev:1;)


Regards,
Frank

-----BEGIN PGP SIGNATURE-----
Version: PGP Personal Privacy 6.5.8
Comment: PGP or S/MIME encrypted email preferred.

iQA/AwUBO4L3vJytSsEygtEFEQKZiQCfXvcDkWOao0HP8Zb2P7KN57XupskAoPmh
jAwzwDcup2J+PGDh2giCY5Pm
=7PAW
-----END PGP SIGNATURE-----

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
http://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: