#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET POLICY Proxy HEAD Request"; flow: to_server,established; content:"HEAD http|3a|//"; nocase; depth: 12; reference:url,doc.emergingthreats.net/2001670; classtype:bad-unknown; sid:2001670; rev:9;)

Added 2011-10-12 19:10:47 UTC


#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET POLICY Proxy HEAD Request"; flow: to_server,established; content:"HEAD http|3a|//"; nocase; depth: 12; classtype: bad-unknown; reference:url,doc.emergingthreats.net/2001670; sid:2001670; rev:9;)

Added 2011-09-14 21:02:36 UTC


#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET POLICY Proxy HEAD Request"; flow: to_server,established; content:"HEAD http|3a|//"; nocase; depth: 12; classtype: bad-unknown; reference:url,doc.emergingthreats.net/2001670; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/POLICY/POLICY_Proxy; sid:2001670; rev:9;)

Added 2011-02-04 17:21:34 UTC


alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET POLICY Proxy HEAD Request"; flow: to_server,established; content:"HEAD http\://"; nocase; depth: 12; classtype: bad-unknown; reference:url,doc.emergingthreats.net/2001670; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/POLICY/POLICY_Proxy; sid:2001670; rev:8;)

Added 2010-06-28 22:46:59 UTC


alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET POLICY Proxy HEAD Request"; flow: to_server,established; content:"HEAD http\://"; nocase; depth: 12; classtype: bad-unknown; reference:url,doc.emergingthreats.net/2001670; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/POLICY/POLICY_Proxy; sid:2001670; rev:8;)

Added 2010-06-28 22:46:59 UTC


alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET POLICY Proxy HEAD Request"; flow: to_server,established; content:"HEAD http\://"; nocase; depth: 12; classtype: bad-unknown; reference:url,doc.emergingthreats.net/2001670; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/POLICY/POLICY_Proxy; sid: 2001670; rev:8;)

Added 2009-09-21 08:45:40 UTC


alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB Proxy HEAD Request"; flow: to_server,established; content:"HEAD http\://"; nocase; depth: 12; classtype: bad-unknown; reference:url,doc.emergingthreats.net/2001670; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB/WEB_Apache_Open_Proxy; sid: 2001670; rev:7;)

Added 2009-02-16 21:30:25 UTC


alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB Proxy HEAD Request"; flow: to_server,established; content:"HEAD http\://"; nocase; depth: 12; classtype: bad-unknown; reference:url,doc.emergingthreats.net/2001670; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB/WEB_Apache_Open_Proxy; sid: 2001670; rev:7;)

Added 2009-02-16 21:30:25 UTC


alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB Proxy HEAD Request"; flow: to_server,established; content:"HEAD http\://"; nocase; depth: 12; classtype: bad-unknown; sid: 2001670; rev:6;)

Added 2008-05-18 19:52:12 UTC


alert tcp any any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB Proxy HEAD Request"; flow: to_server,established; content:"HEAD http\://"; nocase; depth: 12; classtype: bad-unknown; sid: 2001670; rev:5;)

Added 2008-01-31 18:48:10 UTC


alert tcp any any -> $HTTP_SERVERS $HTTP_PORTS (msg: "BLEEDING-EDGE WEB Proxy HEAD Request"; flow: to_server,established; content:"HEAD http\://"; nocase; depth: 12; classtype: bad-unknown; sid: 2001670; rev:4;)

Added 2007-03-12 14:00:30 UTC

Just changed the name to reflect the correct capitalization format. (Happened to be in there adding another sig)

-- MattJonkman - 12 Mar 2007


alert tcp any any -> $HTTP_SERVERS $HTTP_PORTS (msg: "BLEEDING-EDGE Web Proxy HEAD Request"; flow: to_server,established; content:"HEAD http\://"; nocase; depth: 12; classtype: bad-unknown; sid: 2001670; rev:3; )



  • payload_2-163087.bin: BASE pcap (.bin); can be opened with any text editor. payload depicts a false positive of the signature. The signature was triggered when someone accessed an avatar image (on a forum) of mine that resides on my webserver. Definitely a false positive...
Topic revision: r4 - 2010-03-29 - MattJonkman
 
This site is powered by the TWiki collaboration platform Powered by Perl This site is powered by the TWiki collaboration platformCopyright © Emerging Threats