Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: FYI - snort and the Apache ssl bug

From: Jeff Taylor <jeff () austinblues dyndns org>
Date: Wed, 18 Sep 2002 04:15:42 -0500
What is the value of HTTP_PORTS?  80 or 443 or both?

TIA,
  Jeffrey

Quoting Allen Baranov <allen () isa co za>:

Hi,
Follows is a snort signature for the Apache bug.

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"EXPERIMENTAL 
WEB-MISC bad HTTP/1.1 request, potentual worm attack"; 
flow:to_server,established; content:"GET / HTTP/1.1|0d 0a 0d 0a|";  offset:0; 
depth:18; 
reference:url,securityresponse.symantec.com/avcenter/security/Content/2002.09.13.html; 
classtype:web-application-activity; sid:1881; rev:1;)

Allen Baranov



-------------------------------------------------------
This SF.NET email is sponsored by: AMD - Your access to the experts
on Hammer Technology! Open Source & Linux Developers, register now
for the AMD Developer Symposium. Code: EX8664
http://www.developwithamd.com/developerlab
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: