Snort mailing list archives

Re: [Snort-Sigs] sid 17652 possible typo

From: rmkml <rmkml () free fr>
Date: Mon, 14 Mar 2011 11:38:10 +0100 (CET)

Hi Matan,
no typo, because it's a http_uri normalizing.
Regards
Rmkml


On Mon, 14 Mar 2011, matan monitz wrote:

alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"WEB-MISC
Microsoft IIS source code disclosure attempt";
flow:to_server,established; content:"http|3A 2F|localhost"; nocase;
http_uri; metadata:policy security-ips drop, service http;
reference:cve,2005-2678; reference:url,secunia.com/advisories/16548;
classtype:misc-attack; sid:17652; rev:3;)

i think this should be "http|3A 2F 2F|localhost"?


------------------------------------------------------------------------------
Colocation vs. Managed Hosting
A question and answer guide to determining the best fit
for your organization - today and in the future.
http://p.sf.net/sfu/internap-sfd2d
_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-sigs
http://www.snort.org

Current thread:

[Snort-Sigs] sid 17652 possible typo matan monitz (Mar 14)
- Re: [Snort-Sigs] sid 17652 possible typo rmkml (Mar 14)