EditAttachPrintable
r2 - 28 Mar 2008 - 17:41:15 - MattJonkmanYou are here: TWiki >  Main Web > 2008064

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET POLICY Nginx Server with no version string - Often Hostile Traffic"; flow:established,from_server; content:"HTTP/1."; depth:7; content:"|0d 0a|Server\: nginx|0d 0a|"; nocase; distance:4; within:300; threshold:type limit, seconds 60, count 3, track by_src; classtype:bad-unknown; sid:2008064; rev:1;)

Added 2008-04-01 11:35:15 UTC

 

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET POLICY Nginx Server with no version string - Often Hostile Traffic"; flow:established,from_server; content:"HTTP/1."; depth:7; content:"|0d 0a|Server\: nginx|0d 0a|"; nocase; distance:4; within:300; threshold:type limit, seconds 60, count 3, track by_src; classtype:bad-unknown; sid:2008064; rev:1;)

Added 2008-04-01 11:35:15 UTC

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET POLICY Nginx Server with no version string - Often Hostile Traffic"; flow:established,from_server; content:"HTTP/1."; depth:7; content:"|0d 0a|Server\: nginx|0d 0a|"; nocase; distance:4; within:300; threshold:type limit, seconds 60, count 3, track by_src; classtype:bad-unknown; sid:2008064; rev:1;)

Added 2008-03-28 13:33:34 UTC

Often hostile. But not always. Many malware uses of nginx have the version string stripped.

-- MattJonkman - 28 Mar 2008

Edit | Attach | Printable | Raw View | Backlinks: Web, All Webs | History: r2 < r1 | More topic actions
 
Emerging Threats
This site is powered by the TWiki collaboration platformCopyright © by the contributing authors. All material on this collaboration platform is the property of the contributing authors.
Ideas, requests, problems regarding TWiki? Send feedback