Snort mailing list archives

Previous By Date Next
Previous By Thread Next

sid:19825 Apache Killer

From: Yap Ji Wen <jwyap1016 () gmail com>
Date: Fri, 23 Sep 2011 10:23:28 +0800
Hi All,

Can anyone confirm if the following signature is still in the VRT ruleset?


alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"DOS Apache Killer
DoS tool"; flow:established,to_server; content:"Range|3A|bytes="; nocase;
http_header; pcre:"/^Range\x3Abytes=([\d\x2D]+\x2C){6}/Hsmi";
content:"HEAD"; nocase; http_method; reference:cve,2011-3192; reference:url,
archives.neohapsis.com/archives/fulldisclosure/2011-08/0203.html;
classtype:attempted-dos; sid:19825; rev:2; )

I have downloaded the latest Sigs and did not see it in the pack.

If it is indeed removed by VRT, are there any signatures that replaces it?

Thanks.

Rgds,
Jiwen

------------------------------------------------------------------------------
All of the data generated in your IT infrastructure is seriously valuable.
Why? It contains a definitive record of application performance, security
threats, fraudulent activity, and more. Splunk takes this data and makes
sense of it. IT sense. And common sense.
http://p.sf.net/sfu/splunk-d2dcopy2
_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-sigs
http://www.snort.org


Please visit http://blog.snort.org for the latest news about Snort!
Previous By Date Next
Previous By Thread Next

Current thread: