alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY HTTP POST invalid method case outbound"; flow:established,to_server; content:"post "; depth:5; nocase; content:!"POST "; depth:5; pcre:"/^\/[^\r\n]+ HTTP\/1\./R"; reference:url,www.w3.org/Protocols/rfc2616/rfc2616-sec9.html; classtype:bad-unknown; sid:2014380; rev:4;)

Added 2016-12-05 17:06:58 UTC

This FP as rev 2, I was going to suggest adding a pcre, here is my suggestion as I am not sure the pcre above would find the problem pcre:"/^post*?HTTP\/1\./i" This has not been tested yet

-- JimMcKibben - 2016-12-07


alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY HTTP POST invalid method case outbound"; flow:established,to_server; content:"post "; depth:5; nocase; content:!"POST "; depth:5; reference:url,www.w3.org/Protocols/rfc2616/rfc2616-sec9.html; classtype:bad-unknown; sid:2014380; rev:2;)

Added 2014-12-05 18:20:53 UTC


Topic revision: r2 - 2016-12-07 - JimMcKibben
 
This site is powered by the TWiki collaboration platform Powered by Perl This site is powered by the TWiki collaboration platformCopyright © Emerging Threats