#alert http $HOME_NET any -> $EXTERNAL_NET !$HTTP_PORTS (msg:"ET POLICY HTTP Request on Unusual Port Possibly Hostile"; flow:established,to_server; flowbits:isnotset,et.httpproto; flowbits:set,et.httpproto; flowbits:set,ET.knowitsnothttpnow; flowbits:isnotset,ET.knowitsnothttpnow; threshold: type limit, count 1, seconds 30, track by_dst; reference:url,doc.emergingthreats.net/2006408; classtype:policy-violation; sid:2006408; rev:14; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

Added 2017-08-07 20:59:36 UTC


#alert tcp $HOME_NET any -> $EXTERNAL_NET [81:8079,8081:65535] (msg:"ET POLICY HTTP Request on Unusual Port Possibly Hostile"; flow:established,to_server; content:"GET "; nocase; depth:4; reference:url,doc.emergingthreats.net/2006408; classtype:policy-violation; sid:2006408; rev:8;)

Added 2011-10-12 19:20:39 UTC


#alert tcp $HOME_NET any -> $EXTERNAL_NET [81:8079,8081:65535] (msg:"ET POLICY HTTP Request on Unusual Port Possibly Hostile"; flow:established,to_server; content:"GET "; nocase; depth:4; classtype:policy-violation; reference:url,doc.emergingthreats.net/2006408; sid:2006408; rev:8;)

Added 2011-09-14 22:34:12 UTC


#alert tcp $HOME_NET any -> $EXTERNAL_NET [81:8079,8081:65535] (msg:"ET POLICY HTTP GET on unusual Port Possibly Hostile"; flow:established,to_server; content:"GET "; nocase; depth:4; classtype:policy-violation; reference:url,doc.emergingthreats.net/2006408; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/POLICY/POLICY_HTTP_on_Off_Ports; sid:2006408; rev:8;)

Added 2011-02-04 17:25:20 UTC


#alert tcp $HOME_NET any -> $EXTERNAL_NET 81:65535 (msg:"ET POLICY HTTP GET on unusual Port Possibly Hostile"; flowbits:isnotset,BS.HTTP.ok; flow:established,to_server; content:"GET "; nocase; depth:4; classtype:policy-violation; reference:url,doc.emergingthreats.net/2006408; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/POLICY/POLICY_HTTP_on_Off_Ports; sid:2006408; rev:4;)

Added 2009-02-11 19:15:22 UTC


#alert tcp $HOME_NET any -> $EXTERNAL_NET 81:65535 (msg:"ET POLICY HTTP GET on unusual Port Possibly Hostile"; flowbits:isnotset,BS.HTTP.ok; flow:established,to_server; content:"GET "; nocase; depth:4; classtype:policy-violation; reference:url,doc.emergingthreats.net/2006408; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/POLICY/POLICY_HTTP_on_Off_Ports; sid:2006408; rev:4;)

Added 2009-02-11 19:15:22 UTC


#alert tcp $HOME_NET any -> $EXTERNAL_NET 81:65535 (msg:"ET POLICY HTTP GET on unusual Port Possibly Hostile"; flowbits:isnotset,BS.HTTP.ok; flow:established,to_server; content:"GET "; nocase; depth:4; classtype:policy-violation; sid:2006408; rev:3;)

Added 2008-06-06 20:49:01 UTC


#alert tcp $HOME_NET any -> $EXTERNAL_NET 81:65535 (msg:"ET POLICY HTTP GET on unusual Port Possibly Hostile"; flowbits:isnotset,BS.HTTP.ok; flow:established,to_server; content:"GET "; nocase; depth:4; classtype:policy-violation; sid:2006408; rev:3;)

Added 2008-06-06 20:49:01 UTC


#alert tcp $HOME_NET any -> $EXTERNAL_NET 81:65535 (msg:"ET POLICY HTTP GET on unusual Port -- Possibly Hostile"; flowbits:isnotset,BS.HTTP.ok; flow:established,to_server; content:"GET "; nocase; depth:4; offset:0; classtype:policy-violation; sid:2006408; rev:2;)

Added 2008-01-31 18:48:09 UTC


#alert tcp $HOME_NET any -> $EXTERNAL_NET 81:65535 (msg:"ET POLICY HTTP GET on unusual Port -- Possibly Hostile"; flowbits:isnotset,BS.HTTP.ok; flow:established,to_server; content:"GET "; nocase; depth:4; offset:0; classtype:policy-violation; sid:2006408; rev:2;)

Added 2008-01-31 18:48:09 UTC


#alert tcp $HOME_NET any -> $EXTERNAL_NET 81:65535 (msg:"BLEEDING-EDGE POLICY HTTP GET on unusual Port -- Possibly Hostile"; flowbits:isnotset,BS.HTTP.ok; flow:established,to_server; content:"GET "; nocase; depth:4; offset:0; classtype:policy-violation; sid:2006408; rev:1;)

Added 2007-07-19 03:30:52 UTC

Surya Batchu wrote: Apache Servers accepts any number \r\n sequences before the request line. To avoid evasion, the rules can be changed to have content search with pcre, such as "^(\r\n)*GET".


This is a valid problem with the rule, but for performance sake we can't go pcre for each packet. It'll have to remain an unfortunate possible evasion, hopefully not used. We'll have to adjust if we see it in the wild.

Matt

-- MattJonkman - 19 Jul 2007


Topic revision: r2 - 2007-07-19 - MattJonkman
 
This site is powered by the TWiki collaboration platform Powered by Perl This site is powered by the TWiki collaboration platformCopyright © Emerging Threats