this rule wont work. if i remember correctly, i dont think you want ur
destination variable as http_servers...
On Tue, Apr 22, 2008 at 7:07 AM, rmkml <rmkml@free.fr> wrote:
Hi,
Crusoe Researches offering a new rule for detecting Safari Windows DoS:
http://www.Crusoe-Researches.com/en/safariwindowsfiledos.txt
Credits:
Crusoe Researches
http://www.Crusoe-Researches.com
contact@Crusoe-Researches.com
=> Crusoe Researches have more than 2806 UNIQ 'snort' rules for Commercial
Access
(Contact me directly if you are interested)
Crusoe Researches support Bro idps v1.3.25 project format rules
(http://www.bro-ids.org/):
signature sid-92806 {
ip-proto == tcp
event "WEB-CLIENT Safari file:// and % attempt"
tcp-state established,responder
http-body /.*[^a-zA-Z0-9][fF][iI][lL][eE]\:\/\/(.){0,2}\%/
}
Azwalaro new nidps open source project (WireShark based)
http://www.Crusoe-Researches.com/azwalaro/
azwalaro@Crusoe-Researches.com
http matches "(?i)[^a-z0-9]file://(.){0,2}%"
Regards
Rmkml
Crusoe-Researches.com
-------------------------------------------------------------------------
This SF.net email is sponsored by the 2008 JavaOne(SM) Conference
Don't miss this year's exciting event. There's still time to save $100.
Use priority code J8TL2D2.
http://ad.doubleclick.net/clk;198757673;13503038;p?http://java.sun.com/javaone
_______________________________________________
Snort-sigs mailing list
Snort-sigs@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/snort-sigs
-------------------------------------------------------------------------
This SF.net email is sponsored by the 2008 JavaOne(SM) Conference
Don't miss this year's exciting event. There's still time to save $100.
Use priority code J8TL2D2.
http://ad.doubleclick.net/clk;198757673;13503038;p?http://java.sun.com/javaone
_______________________________________________
Snort-sigs mailing list
Snort-sigs@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/snort-sigs
