Nmap Security Scanner
*Intro
*Ref Guide
*Install Guide
*Download
*Changelog
*Book
*Docs
Security Lists
*Nmap Hackers
*Nmap Dev
*Bugtraq
*Full Disclosure
*Pen Test
*Basics
*More
Security Tools
*Pass crackers
*Sniffers
*Vuln Scanners
*Web scanners
*Wireless
*Exploitation
*Packet crafters
*More
Site News
Site Search:
Exploit World
Advertising
About/Contact
Credits
Sponsors:
edgeos



IDS: Re: Snort rules to detect malformed http scanning

Re: Snort rules to detect malformed http scanning

From: Justin Heath <justin.heath_at_gmail.com>
Date: Mon, 30 Oct 2006 14:25:01 -0500

Resending in plaintext.

On 10/30/06, Justin Heath <justin.heath_at_gmail.com> wrote:
> Because no web server deviate from the guidlines set by the RFC's. ;-)
>
> Seriously, to answer the orignal question take a look at the documentation for http_inspect (README.http_inspect, snort manual etc.). There are some options you can put to use such as non_strict, whitespace_chars, oversize_dir_length, webroot, non_rfc_char, multi_slash etc.
>
> You should be able to provide good coverage by tuning these options alone. Anything else can be handled by pcre/uricontent rules.
>
> Cheers,
> Justin
>
>
>
> On 10/29/06, Ofer Shezaf <OferS_at_breach.com> wrote:
> >
> >
> > I think that to protect a web server, especially regarding any deviation
> > of from the HTTP protocol, you may get more from a dedicated web
> > intrusion detection system such as ModSecurity ( www.modsecurity.org).
> >
> > We have recently released a new core rule set for ModSecurity that
> > addresses such as malformed URIs and HTTP requests.
> >
> > ~ Ofer Shezaf
> > www.modsecurity.org
> > www.breach.com
> >
> >
> > > -----Original Message-----
> > > From: listbounce_at_securityfocus.com
> > [mailto: listbounce_at_securityfocus.com]
> > > On Behalf Of pathik_at_zimbio.com
> > > Sent: Friday, October 27, 2006 2:02 AM
> > > To: focus-ids_at_securityfocus.com
> > > Subject: Snort rules to detect malformed http scanning
> > >
> > > I would liek to add rule to my snort database which can block scanning
> > of
> > > malformed urls.
> > >
> > > We are runnning our website in CGI which eventually generated mix of
> > java
> > > script based HTml code.
> > >
> > > Few days back we are experiencing traffic from scanners and bots which
> > > scans our website for PHP files,which we don't have.
> > >
> > > I would like to block IP addresses of this types of scan genration.
> > >
> > >
> > ------------------------------------------------------------------------
> > > Test Your IDS
> > >
> > > Is your IDS deployed correctly?
> > > Find out quickly and easily by testing it
> > > with real-world attacks from CORE IMPACT.
> > > Go to
> > >
> > http://www.coresecurity.com/index.php5?module=Form&action=impact&campaig
> > n=
> > > intro_sfw
> > > to learn more.
> > >
> > ------------------------------------------------------------------------
> >
> >
> > ------------------------------------------------------------------------
> > Test Your IDS
> >
> > Is your IDS deployed correctly?
> > Find out quickly and easily by testing it
> > with real-world attacks from CORE IMPACT.
> > Go to http://www.coresecurity.com/index.php5?module=Form&action=impact&campaign=intro_sfw
> > to learn more.
> > ------------------------------------------------------------------------
> >
> >
>
>

------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it
with real-world attacks from CORE IMPACT.
Go to http://www.coresecurity.com/index.php5?module=Form&action=impact&campaign=intro_sfw
to learn more.
------------------------------------------------------------------------
Received on Oct 30 2006

[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
edgeos