This topic was a thread a few months back. fowbits will easily allow
what you want. Problem is that in the case of a compromise the attacker
simply has to return a 404 before opening a shell back to you and you
will be none the wiser.
Russell Fulton wrote:
Hi, does stream4 collect both directions of a flow? I.e. is it possible
to have a set of signatures that tags a flow (standard http attack) and
then watched for a 200 response from the web server.
I assume that the answer is no otherwise we would be diong this as a
matter of routine.
It long ago got to the stage where I ignore the flood of altert
generated by people poking at our web servers. The fact that some poked
at our web server is of no interest at all. The fact that someone poked
at the web server and the server did not return an error is of interest.
Perhaps this could be built into a preprocessor that returns the status
on an http connections.
Russell
-------------------------------------------------------
SF.Net email is sponsored by: Discover Easy Linux Migration Strategies
from IBM. Find simple to follow Roadmaps, straightforward articles,
informative Webcasts and more! Get everything you need to get up to
speed, fast. http://ads.osdn.com/?ad_id=7477&alloc_id=16492&op=click
_______________________________________________
Snort-sigs mailing list
Snort-sigs@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/snort-sigs
-------------------------------------------------------
SF.Net email is sponsored by: Discover Easy Linux Migration Strategies
from IBM. Find simple to follow Roadmaps, straightforward articles,
informative Webcasts and more! Get everything you need to get up to
speed, fast. http://ads.osdn.com/?ad_id=7477&alloc_id=16492&op=click
_______________________________________________
Snort-sigs mailing list
Snort-sigs@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/snort-sigs
