alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY HTTP HEAD invalid method case outbound"; flow:established,to_server; content:"head "; depth:5; nocase; content:!"HEAD "; depth:5; reference:url,www.w3.org/Protocols/rfc2616/rfc2616-sec9.html; classtype:bad-unknown; sid:2014381; rev:2;)

Added 2012-03-14 18:30:52 UTC

This rule could be modified to include a "HTTP/1" content field ahead of the "head " content field to negate FPs

-- JimMcKibben - 2016-09-23

Please enter documentation, comments, false positives, or concerns with this signature. Press the Attach button below to add samples or Pcaps.

-- JimMcKibben - 2016-09-23


Topic revision: r2 - 2016-09-23 - JimMcKibben
 
This site is powered by the TWiki collaboration platform Powered by Perl This site is powered by the TWiki collaboration platformCopyright © Emerging Threats