Snort mailing list archives

Previous By Date Next
Previous By Thread Next

"id command attempt" rule

From: Risto Vaarandi <risto.vaarandi () eyp ee>
Date: Mon, 29 Apr 2002 14:17:07 +0300
hi,

recently, I have received some false positive alarms from "id command
attempt" rule:

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 80 (msg:"WEB-ATTACKS id
command attempt"; flags:A+; content:"\;id";nocase; sid:1333; rev:1;
classtype:web-application-attack;)

This rule basically looks for a subtring ";id" in any packet directed to
a webserver. The problem is these substrings tend to appear quite
frequently, especially in the texts (or picture binaries) the users are
submitting through various web forms using POST method.

Is there any way to rewrite this rule, so that it would not simply match
any occurence of ";id" anywhere in the packet, but do a stricter check?

best regards,
risto

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: