Re: SSL worm sigs

[Shane Williams <shanew () gslis utexas edu>]

-----BEGIN PGP SIGNED MESSAGE-----

On Sun, 15 Sep 2002, Brian Caswell wrote:

> alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"EXPERIMENTAL WEB-MISC bad HTTP/1.1 request, potentual 
> worm attack"; flow:to_server,established; content:"GET / HTTP/1.1|0a 0d 0a 0d|";  offset:0; depth:18; 
> reference:url,securityresponse.symantec.com/avcenter/security/Content/2002.09.13.html; 
> classtype:web-application-activity; sid:1881; rev:1;)

Wow, you were near right on with that.

Just change the content:"GET / HTTP/1.1|0a 0d 0a 0d|";
to
content:"GET / HTTP/1.1|0d 0a 0d 0a|";

I've checked this and it works.

- -- 
Public key #7BBC68D9 at            |                 Shane Williams
http://pgp.mit.edu/                | Systems Administrator UT-GSLIS
=----------------------------------+-------------------------------
All syllogisms contain three lines |        shanew () gslis utexas edu
Therefore this is not a syllogism  |   www.gslis.utexas.edu/~shanew

-----BEGIN PGP SIGNATURE-----
Version: 2.6.2

iQCVAwUBPYYLema83yV7vGjZAQHSMgP/abO++Gb24zVVmcZvrosVlMTfjLIrMNsR
i+jb3HVkvD+77yq+KreXiLhGXC93CdkZ8JO3zzAPykQFKowTs5oUkttfpGPJP9pG
ciux+o2F1Mhh0bpc5uD4dkvh2YBDiaP+s9UwgHgBHUF64eBdW7bgm92S+xYMrz3d
mnOc4vWaUIw=
=Bnul
-----END PGP SIGNATURE-----



-------------------------------------------------------
Sponsored by: AMD - Your access to the experts on Hammer Technology! 
Open Source & Linux Developers, register now for the AMD Developer 
Symposium. Code: EX8664 http://www.developwithamd.com/developerlab
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users