Re: quick sanity check please?

[James Lay <jlay () slave-tothe-box net>]

Your last rule pcre could be:

[0-9]{7,8}

I think.

James
On Nov 15, 2013, at 5:51 AM, Jamie Riden <jamie.riden () gmail com> wrote:

> Have a client experiencing a DDoS via POST requests at the moment, and
> have hacked up the following, which do match the offending packets
> they're seeing, but I've got no "known good" traffic to check for FPs.
>
> Can anyone see anything majorly dumb about this, before it gets loaded
> onto the production firewall ? :)
>
> # check for packets with POST, and Referer: but not a sensible one
> alert tcp any any -> any 80 (msg:"POST with bad referer";
> content:"POST"; content:"Referer|3A| "; within:256; content:!".co.uk";
> within:48; sid:12009099; rev:1;)
>
> #check for POSTs without Referer
> alert tcp any any -> any 80 (msg:"POST with no referer";
> content:"POST"; content:!"Referer|3A| "; within:256; sid:12009098;
> rev:1;)
>
> #check for Content-Length of >10,000,000
> alert tcp any any -> any 80 (msg:"POST with silly content-length";
> content:"POST";  pcre:"/Content-Length\x3a
> [0-9][0-9][0-9][0-9][0-9][0-9][0-9][0-9]/"; sid:12009097; rev:1;)
>
> (I know the matches could be a lot tighter than they are...)
>
> Cheers,
> Jamie
> -- 
> Jamie Riden / jamie () honeynet org / jamie.riden () gmail com
> http://uk.linkedin.com/in/jamieriden
>
> ------------------------------------------------------------------------------
> DreamFactory - Open Source REST & JSON Services for HTML5 & Native Apps
> OAuth, Users, Roles, SQL, NoSQL, BLOB Storage and External API Access
> Free app hosting. Or install the open source package on any LAMP server.
> Sign up and see examples for AngularJS, jQuery, Sencha Touch and Native!
> http://pubads.g.doubleclick.net/gampad/clk?id=63469471&iu=/4140/ostg.clktrk
> _______________________________________________
> Snort-sigs mailing list
> Snort-sigs () lists sourceforge net
> https://lists.sourceforge.net/lists/listinfo/snort-sigs
> http://www.snort.org
>
>
> Please visit http://blog.snort.org for the latest news about Snort!

Attachment: signature.asc
Description: Message signed with OpenPGP using GPGMail

------------------------------------------------------------------------------
DreamFactory - Open Source REST & JSON Services for HTML5 & Native Apps
OAuth, Users, Roles, SQL, NoSQL, BLOB Storage and External API Access
Free app hosting. Or install the open source package on any LAMP server.
Sign up and see examples for AngularJS, jQuery, Sencha Touch and Native!
http://pubads.g.doubleclick.net/gampad/clk?id=63469471&iu=/4140/ostg.clktrk

_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-sigs
http://www.snort.org


Please visit http://blog.snort.org for the latest news about Snort!