Hi guys,
I need some kindness from you all to give me more explanation about this
following rules:
alert tcp $EXTERNAL_NET any -> $HOME_NET 3128 (msg:"DOS Squid proxy FTP denial
of service attempt"; flow:established,to_server; content:"GET"; nocase;
content:"FTP|3A|//"; nocase;
pcre:"/ftp\x3A\x2F\x2F[\w\x2E\x2F]+[^\x2F]\x3Btype=D/i";
reference:bugtraq,22079; reference:cve,2007-0247; classtype:denial-of-service;
sid:10135; rev:1;)
I have a research to intentionally exploiting squid with my signature-based IDS
with active response support enabled.
Watching th traffic it can make, so I can gladly understand what is going on.
It is all about penetration testing, and
for research purposes only. With rules above, I need more explanation on...
flow:established,to_server;
content:"GET"; nocase;
content:"FTP|3A|//";
nocase;
pcre:"/ftp\x3A\x2F\x2F[\w\x2E\x2F]+[^\x2F]\x3Btype=D/i";
Greatly appreciated for any response,
Thanks in advance
Regard
Mat
____________________________________________________________________________________
Looking for last minute shopping deals?
Find them fast with Yahoo! Search.
http://tools.search.yahoo.com/newsearch/category.php?category=shopping-------------------------------------------------------------------------
SF.Net email is sponsored by: The Future of Linux Business White Paper
from Novell. From the desktop to the data center, Linux is going
mainstream. Let it simplify your IT future.
http://altfarm.mediaplex.com/ad/ck/8857-50307-18918-4
_______________________________________________
Snort-sigs mailing list
Snort-sigs@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/snort-sigs
