Re: [Snort-sigs] new rule for detect iis DoS via ~

On Sun, 2005-12-18 at 10:46 +0100, rmkml wrote:
> web-iis.rules:alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS 
> (msg:"WEB-IIS Dos ~ attempt"; flow:to_server,established; uricontent:"~"; 
> pcre:"/~\d/"; classtype:web-application-activity; )

That will probably trigger a lot of false positives.
(i.e. ...blogthis.php?id=~2234&user=me)

How about uricontent:".dll"; pcre:"/~\d/U"; ? That was you at least
confine FP's to any .dll based URLs.

Regards,
Frank

-- 
It is said that the Internet is a public utility. As such, it is best
compared to a sewer. A big, fat pipe with a bunch of crap sloshing
against your ports.

signature.asc
Description: This is a digitally signed message part