Re: Testing the quickness of signature writers

[Brian Caswell <bmc () snort org>]

On May 1, 2006, at 5:58 PM, Dave Aitel wrote:
> So this is our basic IDS tester of the week. It's in the April CANVAS
> release (that's today), and my bet is that NO IDS detects it, since
> none of them were brave enough to send me a VM to test. But now
> everyone has it, so we'll see if they have the ability to quickly pump
> out a signature. It's a easier test than the previous one, so we
> expect par time of less than one week. Less than one day is considered
> a birdy. :>

If only the wife didn't expect me to eat dinner with the family, then  
help the girls with their homework.

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB- 
PHP horde help module arbitrary command execution attempt";  
flow:established,to_server; uricontent:"/services/help/"; pcre:"/[\? 
\x3b\x26]module=[a-zA-Z0-9]*[^\x3b\x26]/U"; classtype:web-application- 
attack;)

Brian