Resending in plaintext.
On 10/30/06, Justin Heath <[EMAIL PROTECTED]> wrote:
Because no web server deviate from the guidlines set by the RFC's. ;-)
Seriously, to answer the orignal question take a look at the documentation for
http_inspect (README.http_inspect, snort manual etc.). There are some options
you can put to use such as non_strict, whitespace_chars, oversize_dir_length,
webroot, non_rfc_char, multi_slash etc.
You should be able to provide good coverage by tuning these options alone.
Anything else can be handled by pcre/uricontent rules.
Cheers,
Justin
On 10/29/06, Ofer Shezaf <[EMAIL PROTECTED]> wrote:
>
>
> I think that to protect a web server, especially regarding any deviation
> of from the HTTP protocol, you may get more from a dedicated web
> intrusion detection system such as ModSecurity ( www.modsecurity.org).
>
> We have recently released a new core rule set for ModSecurity that
> addresses such as malformed URIs and HTTP requests.
>
> ~ Ofer Shezaf
> www.modsecurity.org
> www.breach.com
>
>
> > -----Original Message-----
> > From: [EMAIL PROTECTED]
> [mailto: [EMAIL PROTECTED]
> > On Behalf Of [EMAIL PROTECTED]
> > Sent: Friday, October 27, 2006 2:02 AM
> > To: [email protected]
> > Subject: Snort rules to detect malformed http scanning
> >
> > I would liek to add rule to my snort database which can block scanning
> of
> > malformed urls.
> >
> > We are runnning our website in CGI which eventually generated mix of
> java
> > script based HTml code.
> >
> > Few days back we are experiencing traffic from scanners and bots which
> > scans our website for PHP files,which we don't have.
> >
> > I would like to block IP addresses of this types of scan genration.
> >
> >
> ------------------------------------------------------------------------
> > Test Your IDS
> >
> > Is your IDS deployed correctly?
> > Find out quickly and easily by testing it
> > with real-world attacks from CORE IMPACT.
> > Go to
> >
> http://www.coresecurity.com/index.php5?module=Form&action=impact&campaig
> n=
> > intro_sfw
> > to learn more.
> >
> ------------------------------------------------------------------------
>
>
> ------------------------------------------------------------------------
> Test Your IDS
>
> Is your IDS deployed correctly?
> Find out quickly and easily by testing it
> with real-world attacks from CORE IMPACT.
> Go to
http://www.coresecurity.com/index.php5?module=Form&action=impact&campaign=intro_sfw
> to learn more.
> ------------------------------------------------------------------------
>
>
------------------------------------------------------------------------
Test Your IDS
Is your IDS deployed correctly?
Find out quickly and easily by testing it
with real-world attacks from CORE IMPACT.
Go to http://www.coresecurity.com/index.php5?module=Form&action=impact&campaign=intro_sfw
to learn more.
------------------------------------------------------------------------
