代码拉取完成,页面将自动刷新
Loading...
** README ** This repo has MOVED. The new location is https://github.com/quadrantsec/sagan-rules Welcome to the "Sagan Rules" README file ---------------------------------------- This is the Git repository for the Sagan engine rule sets. You probably won't find these useful unless you're actually using Sagan! For more information, check out the Sagan main web site at: http://sagan.quadrantsec.com Github related site: http://github.com/beave/sagan What is Sagan? -------------- Sagan is an open source (GNU/GPLv2) high performance, real-time log analysis & correlation engine. It is written in C and uses a multi-threaded architecture to deliver high performance log & event analysis. The Sagan structure and Sagan rules work similarly to the Sourcefire "Snort" IDS engine. This was intentionally done to maintain compatibility with rule management software (oinkmaster/pulledpork/etc) and allows Sagan to correlate log events with your Snort IDS/IPS system. Since Sagan can write to Snort IDS/IPS databases via unified2/barnyard2, it is compatible with all Snort "consoles". For example, Sagan is compatible with Snorby [http://www.snorby.org], Sguil [http://sguil.sourceforge.net], BASE, and the Prelude IDS framework! (to name a few). Sagan supports many different output formats, log normalization (via liblognorm), script execution on event and automatic firewall support via "Snortsam" (see http://www.snortsam.net). For more information, please visit the Sagan web site: http://sagan.quadrantsec.com.
# Sagan apache.rules
# Copyright (c) 2009-2020. Quadrant Information Security <www.quadrantsec.com>
# All rights reserved.
#
# Please submit any custom rules or ideas to sagan-submit@quadrantsec.com or the sagan-sigs mailing list
#
#*************************************************************
# Redistribution and use in source and binary forms, with or without modification, are permitted provided that the
# following conditions are met:
#
# * Redistributions of source code must retain the above copyright notice, this list of conditions and the following
# disclaimer.
# * Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the
# following disclaimer in the documentation and/or other materials provided with the distribution.
# * Neither the name of the nor the names of its contributors may be used to endorse or promote products derived
# from this software without specific prior written permission.
#
# THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS AS IS AND ANY EXPRESS OR IMPLIED WARRANTIES,
# INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
# DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
# SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
# SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE
# USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
#
#*************************************************************
#
# In order for you to receive Apache logs via syslog, you'll need change your "CustomLog" configuration
# entry in your Apache config to something like:
#
# CustomLog "|/usr/bin/logger -i -p local0.info -t apache2" common
#
#alert any $EXTERNAL_NET any -> $HOME_NET any ( msg:"[APACHE] Segmentation fault"; content: "signal Segmentation Fault"; default_proto:tcp; default_dst_port: $HTTP_PORT; classtype: program-error; program: apache|httpd; reference: url,wiki.quadrantsec.com/bin/view/Main/5000155; sid:5000155; rev:5;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[APACHE] Attempt to access forbidden file or directory [0/5]"; content: "denied by server configuration"; threshold: type suppress, track by_src, count 5, seconds 300; xbits: set, recon ,track ip_src, expire 86400; default_proto:tcp; default_dst_port: $HTTP_PORT; classtype: permissions-violation ; program: apache|httpd; reference: url,wiki.quadrantsec.com/bin/view/Main/5000156; parse_src_ip: 1; sid:5000156; rev:11;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[APACHE] Attempt to access forbidden directory index"; content: "Directory index forbidden by rule [0/5]"; threshold: type suppress, track by_src, count 5, seconds 300; xbits: set, recon ,track ip_src, expire 86400; default_proto:tcp; default_dst_port: $HTTP_PORT; classtype: permissions-violation; program: apache|httpd; reference: url,wiki.quadrantsec.com/bin/view/Main/5000157; parse_src_ip: 1; sid:5000157; rev:12;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[APACHE] Client sent malformed Host header"; content: "Client sent malformed Host header"; default_proto:tcp; default_dst_port: $HTTP_PORT; classtype: string-detect; program: apache|httpd; reference: url,wiki.quadrantsec.com/bin/view/Main/5000158; parse_src_ip: 1; sid:5000158; rev:7;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[APACHE] User authentication failed"; content: "authentication failed"; nocase; default_proto:tcp; default_dst_port: $HTTP_PORT; classtype: unsuccessful-user; program: apache|httpd; reference: url,wiki.quadrantsec.com/bin/view/Main/5000159; parse_src_ip: 1; sid:5000159; rev:7;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[APACHE] Attempt to login using a non-existent user"; pcre: "/user \S+ not found/i"; xbits: set, recon ,track ip_src, expire 86400; default_proto:tcp; default_dst_port: $HTTP_PORT; classtype: unsuccessful-user; program: apache|httpd; reference: url,wiki.quadrantsec.com/bin/view/Main/5000160; parse_src_ip: 1; sid:5000160; rev:10;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[APACHE] Rapid attempt to access a non-existent file or directory"; pcre: "/file does not exist|No such file or directory/i"; content:!"favicon.ico"; threshold:suppress, track by_src, count 20, seconds 60; xbits: set, recon ,track ip_src, expire 86400; default_proto:tcp; default_dst_port: $HTTP_PORT; classtype: suspicious-filename-detect; program: apache|httpd; reference: url,wiki.quadrantsec.com/bin/view/Main/5000161; parse_src_ip: 1; sid:5000161; rev:10;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[APACHE] Attempt to access a non-existent file or stream"; pcre: "/failed opening|failed to open stream/i"; default_proto:tcp; default_dst_port: $HTTP_PORT; classtype: suspicious-filename-detect; program: apache|httpd; reference: url,wiki.quadrantsec.com/bin/view/Main/5000378; parse_src_ip: 1; sid:5000378; rev:8;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[APACHE] Invalid URI in request"; content: "Invalid URI in request"; default_proto:tcp; default_dst_port: $HTTP_PORT; classtype: suspicious-traffic; program: apache|httpd; reference: url,wiki.quadrantsec.com/bin/view/Main/5000162; parse_src_ip: 1; sid:5000162; rev:7;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[APACHE] Invalid URI, file name too long"; content: "file name too long"; content: "URI too long"; default_proto:tcp; default_dst_port: $HTTP_PORT; classtype: suspicious-filename-detect; program: apache|httpd; reference: url,wiki.quadrantsec.com/bin/view/Main/5000163; parse_src_ip: 1; sid:5000163; rev:7;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[APACHE] Mod_Security Access denied"; meta_content: "%sagan%",modsecurity,mod_security,mod_security-message; content: "access denied"; nocase; default_proto:tcp; default_dst_port: $HTTP_PORT; classtype: web-application-attack; program: apache|httpd; reference: url,wiki.quadrantsec.com/bin/view/Main/5000165; parse_src_ip: 1; sid:5000165; rev:8;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[APACHE] Resource temporarily unavailable"; content: "Resource temporarily unavailable"; default_proto:tcp; default_dst_port: $HTTP_PORT; classtype: program-error; program: apache|httpd; reference: url,wiki.quadrantsec.com/bin/view/Main/5000166; parse_src_ip: 1; sid:5000166; rev:7;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[APACHE] Directory traversal attempt - 1"; content: "?C=S|3b|O=A"; xbits: set, recon ,track ip_src, expire 86400; default_proto:tcp; default_dst_port: $HTTP_PORT; classtype: suspicious-traffic; program: apache|httpd; reference: url,wiki.quadrantsec.com/bin/view/Main/5000359; parse_src_ip: 1; sid: 5000359; rev:10;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[APACHE] Directory traversal attempt - 2"; content: "?C=M|3b|O=A"; xbits: set, recon ,track ip_src, expire 86400; default_proto:tcp; default_dst_port: $HTTP_PORT; classtype: suspicious-traffic; program: apache|httpd; reference: url,wiki.quadrantsec.com/bin/view/Main/5000360; parse_src_ip: 1; sid: 5000360; rev:10;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[APACHE] Robots.txt access"; content: "robots.txt"; content:!" 404 "; xbits: set, recon ,track ip_src, expire 86400; default_proto:tcp; default_dst_port: $HTTP_PORT; classtype: unknown; program: apache|httpd; reference: url,wiki.quadrantsec.com/bin/view/Main/5000361; parse_src_ip: 1; sid: 5000361; rev:10;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[APACHE] PHPinfo access attempt [0/5]"; content: "phpinfo"; content:!" 404 "; xbits: set,recon,track ip_src, expire 86400; default_proto: tcp; default_dst_port: $HTTP_PORT; classtype: attempted-recon; program: apache|httpd; reference: url,wiki.quadrantsec.com/bin/view/Main/5000362; parse_src_ip: 1; threshold:suppress, track by_src, count 5, seconds 300; sid: 5000362; rev:13;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[APACHE] Php-my-admin access attempt [0/5]"; content: "phpmyadmin"; nocase; content:!" 404 "; xbits: set, recon ,track ip_src, expire 86400; default_proto:tcp; default_dst_port: $HTTP_PORT; classtype: web-application-attack; program: apachehttpd; reference: url,wiki.quadrantsec.com/bin/view/Main/5000364; parse_src_ip: 1; threshold:suppress, track by_src, count 5, seconds 300; sid: 5000364; rev:9;)
# CVE-2014-6271 (09/24/2014 - Champ Clark III)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[APACHE] Remote execution attempt via CVE-2014-6271"; content:"|28 29 20 7b 20|"; program: apache|httpd; default_proto:tcp; default_dst_port: $HTTP_PORT; classtype: exploit-attempt; xbits: set, exploit_attempt ,track ip_src, expire 86400; parse_src_ip: 1; reference: url,wiki.quadrantsec.com/bin/view/Main/5002180; reference: url,web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-6271; sid:5002180; rev:7;)
# CVE-2014-6271 (09/30/2014 - Champ Clark III) - These are modified Emerging Threats rules
alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[APACHE] Possible CVE-2014-6271 Attempt in HTTP URLENCODE Generic 1"; content:"%28%29|20|{|20|"; program: apache|httpd; xbits: set, exploit_attempt ,track ip_src, expire 86400; parse_src_ip: 1; reference:url,blogs.akamai.com/2014/09/environment-bashing.html; default_proto:tcp; default_dst_port: $HTTP_PORT; classtype:attempted-admin; sid:5002181; rev:6;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[APACHE] Possible CVE-2014-6271 Attempt in HTTP URLENCODE Generic 2"; content:"%28%29|20|{%20"; program: apache|httpd; xbits: set, exploit_attempt ,track ip_src, expire 86400; parse_src_ip: 1; reference:url,blogs.akamai.com/2014/09/environment-bashing.html; default_proto:tcp; default_dst_port: $HTTP_PORT; classtype:attempted-admin; sid:5002182; rev:6;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[APACHE] Possible CVE-2014-6271 Attempt in HTTP URLENCODE Generic 3"; content:"%28%29|20|%7b|20|"; program: apache|httpd; xbits: set, exploit_attempt ,track ip_src, expire 86400; parse_src_ip: 1; reference:url,blogs.akamai.com/2014/09/environment-bashing.html; default_proto:tcp; default_dst_port: $HTTP_PORT; classtype:attempted-admin; sid:5002183; rev:6;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[APACHE] Possible CVE-2014-6271 Attempt in HTTP URLENCODE Generic 4"; content:"%28%29|20|%7b%20"; program: apache|httpd; xbits: set, exploit_attempt ,track ip_src, expire 86400; parse_src_ip: 1; reference:url,blogs.akamai.com/2014/09/environment-bashing.html; default_proto:tcp; default_dst_port: $HTTP_PORT; classtype:attempted-admin; sid:5002184; rev:6;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[APACHE] Possible CVE-2014-6271 Attempt in HTTP URLENCODE Generic 5"; content:"%28%29%20{|20|"; program: apache|httpd; xbits: set, exploit_attempt ,track ip_src, expire 86400; parse_src_ip: 1; reference:url,blogs.akamai.com/2014/09/environment-bashing.html; default_proto:tcp; default_dst_port: $HTTP_PORT; classtype:attempted-admin; sid:5002185; rev:6;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[APACHE] Possible CVE-2014-6271 Attempt in HTTP URLENCODE Generic 6"; content:"%28%29%20{%20"; program: apache|httpd; xbits: set, exploit_attempt ,track ip_src, expire 86400; parse_src_ip: 1; reference:url,blogs.akamai.com/2014/09/environment-bashing.html; default_proto:tcp; default_dst_port: $HTTP_PORT; classtype:attempted-admin; sid:5002186; rev:6;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[APACHE] Possible CVE-2014-6271 Attempt in HTTP URLENCODE Generic 7"; content:"%28%29%20%7b|20|"; program: apache|httpd; xbits: set, exploit_attempt ,track ip_src, expire 86400; parse_src_ip: 1; reference:url,blogs.akamai.com/2014/09/environment-bashing.html; default_proto:tcp; default_dst_port: $HTTP_PORT; classtype:attempted-admin; sid:5002187; rev:6;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[APACHE] Possible CVE-2014-6271 Attempt in HTTP URLENCODE Generic 8"; content:"%28%29%20%7b%20"; program: apache|httpd; xbits: set, exploit_attempt ,track ip_src, expire 86400; parse_src_ip: 1; reference:url,blogs.akamai.com/2014/09/environment-bashing.html; default_proto:tcp; default_dst_port: $HTTP_PORT; classtype:attempted-admin; sid:5002188; rev:6;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[APACHE] Possible CVE-2014-6271 Attempt in HTTP URLENCODE Generic 9"; content:"%28|20|{|20|"; program: apache|httpd; xbits: set, exploit_attempt ,track ip_src, expire 86400; parse_src_ip: 1; reference:url,blogs.akamai.com/2014/09/environment-bashing.html; default_proto:tcp; default_dst_port: $HTTP_PORT; classtype:attempted-admin; sid:5002189; rev:6;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[APACHE] Possible CVE-2014-6271 Attempt in HTTP URLENCODE Generic 10"; content:"%28|20|{%20"; program: apache|httpd; xbits: set, exploit_attempt ,track ip_src, expire 86400; parse_src_ip: 1; reference:url,blogs.akamai.com/2014/09/environment-bashing.html; default_proto:tcp; default_dst_port: $HTTP_PORT; classtype:attempted-admin; sid:5002190; rev:6;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[APACHE] Possible CVE-2014-6271 Attempt in HTTP URLENCODE Generic 11"; content:"%28|20|%7b|20|"; program: apache|httpd; xbits: set, exploit_attempt ,track ip_src, expire 86400; parse_src_ip: 1; reference:url,blogs.akamai.com/2014/09/environment-bashing.html; default_proto:tcp; default_dst_port: $HTTP_PORT; classtype:attempted-admin; sid:5002212; rev:6;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[APACHE] Possible CVE-2014-6271 Attempt in HTTP URLENCODE Generic 12"; content:"%28|20|%7b%20"; program: apache|httpd; xbits: set, exploit_attempt ,track ip_src, expire 86400; parse_src_ip: 1; reference:url,blogs.akamai.com/2014/09/environment-bashing.html; default_proto:tcp; default_dst_port: $HTTP_PORT; classtype:attempted-admin; sid:5002191; rev:6;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[APACHE] Possible CVE-2014-6271 Attempt in HTTP URLENCODE Generic 13"; content:"%28%20{|20|"; program: apache|httpd; xbits: set, exploit_attempt ,track ip_src, expire 86400; parse_src_ip: 1; reference:url,blogs.akamai.com/2014/09/environment-bashing.html; default_proto:tcp; default_dst_port: $HTTP_PORT; classtype:attempted-admin; sid:5002192; rev:6;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[APACHE] Possible CVE-2014-6271 Attempt in HTTP URLENCODE Generic 14"; content:"%28%20{%20"; program: apache|httpd; xbits: set, exploit_attempt ,track ip_src, expire 86400; parse_src_ip: 1; reference:url,blogs.akamai.com/2014/09/environment-bashing.html; default_proto:tcp; default_dst_port: $HTTP_PORT; classtype:attempted-admin; sid:5002193; rev:6;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[APACHE] Possible CVE-2014-6271 Attempt in HTTP URLENCODE Generic 15"; content:"%28%20%7b|20|"; program: apache|httpd; xbits: set, exploit_attempt ,track ip_src, expire 86400; parse_src_ip: 1; reference:url,blogs.akamai.com/2014/09/environment-bashing.html; default_proto:tcp; default_dst_port: $HTTP_PORT; classtype:attempted-admin; sid:5002194; rev:6;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[APACHE] Possible CVE-2014-6271 Attempt in HTTP URLENCODE Generic 16"; content:"%28%20%7b%20"; program: apache|httpd; xbits: set, exploit_attempt ,track ip_src, expire 86400; parse_src_ip: 1; reference:url,blogs.akamai.com/2014/09/environment-bashing.html; default_proto:tcp; default_dst_port: $HTTP_PORT; classtype:attempted-admin; sid:5002195; rev:6;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[APACHE] Possible CVE-2014-6271 Attempt in HTTP URLENCODE Generic 17"; content:"|28|%29|20|{|20|"; program: apache|httpd; xbits: set, exploit_attempt ,track ip_src, expire 86400; parse_src_ip: 1; reference:url,blogs.akamai.com/2014/09/environment-bashing.html; default_proto:tcp; default_dst_port: $HTTP_PORT; classtype:attempted-admin; sid:5002196; rev:6;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[APACHE] Possible CVE-2014-6271 Attempt in HTTP URLENCODE Generic 18"; content:"|28|%29|20|{%20"; program: apache|httpd; xbits: set, exploit_attempt ,track ip_src, expire 86400; parse_src_ip: 1; reference:url,blogs.akamai.com/2014/09/environment-bashing.html; default_proto:tcp; default_dst_port: $HTTP_PORT; classtype:attempted-admin; sid:5002197; rev:6;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[APACHE] Possible CVE-2014-6271 Attempt in HTTP URLENCODE Generic 19"; content:"|28|%29|20|%7b|20|"; program: apache|httpd; xbits: set, exploit_attempt ,track ip_src, expire 86400; parse_src_ip: 1; reference:url,blogs.akamai.com/2014/09/environment-bashing.html; default_proto:tcp; default_dst_port: $HTTP_PORT; classtype:attempted-admin; sid:5002198; rev:6;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[APACHE] Possible CVE-2014-6271 Attempt in HTTP URLENCODE Generic 20"; content:"|28|%29|20|%7b%20"; program: apache|httpd; xbits: set, exploit_attempt ,track ip_src, expire 86400; parse_src_ip: 1; reference:url,blogs.akamai.com/2014/09/environment-bashing.html; default_proto:tcp; default_dst_port: $HTTP_PORT; classtype:attempted-admin; sid:5002199; rev:6;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[APACHE] Possible CVE-2014-6271 Attempt in HTTP URLENCODE Generic 21"; content:"|28|%29%20{|20|"; program: apache|httpd; xbits: set, exploit_attempt ,track ip_src, expire 86400; parse_src_ip: 1; reference:url,blogs.akamai.com/2014/09/environment-bashing.html; default_proto:tcp; default_dst_port: $HTTP_PORT; classtype:attempted-admin; sid:5002200; rev:6;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[APACHE] Possible CVE-2014-6271 Attempt in HTTP URLENCODE Generic 22"; content:"|28|%29%20{%20"; program: apache|httpd; xbits: set, exploit_attempt ,track ip_src, expire 86400; parse_src_ip: 1; reference:url,blogs.akamai.com/2014/09/environment-bashing.html; default_proto:tcp; default_dst_port: $HTTP_PORT; classtype:attempted-admin; sid:5002201; rev:6;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[APACHE] Possible CVE-2014-6271 Attempt in HTTP URLENCODE Generic 23"; content:"|28|%29%20%7b|20|"; program: apache|httpd; xbits: set, exploit_attempt ,track ip_src, expire 86400; parse_src_ip: 1; reference:url,blogs.akamai.com/2014/09/environment-bashing.html; default_proto:tcp; default_dst_port: $HTTP_PORT; classtype:attempted-admin; sid:5002202; rev:6;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[APACHE] Possible CVE-2014-6271 Attempt in HTTP URLENCODE Generic 24"; content:"|28|%29%20%7b%20"; program: apache|httpd; xbits: set, exploit_attempt ,track ip_src, expire 86400; parse_src_ip: 1; reference:url,blogs.akamai.com/2014/09/environment-bashing.html; default_proto:tcp; default_dst_port: $HTTP_PORT; classtype:attempted-admin; sid:5002203; rev:6;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[APACHE] Possible CVE-2014-6271 Attempt in HTTP URLENCODE Generic 25"; content:"|28 29 20|{%20"; program: apache|httpd; xbits: set, exploit_attempt ,track ip_src, expire 86400; parse_src_ip: 1; reference:url,blogs.akamai.com/2014/09/environment-bashing.html; default_proto:tcp; default_dst_port: $HTTP_PORT; classtype:attempted-admin; sid:5002204; rev:6;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[APACHE] Possible CVE-2014-6271 Attempt in HTTP URLENCODE Generic 26"; content:"|28 29 20|%7b|20|"; program: apache|httpd; xbits: set, exploit_attempt ,track ip_src, expire 86400; parse_src_ip: 1; reference:url,blogs.akamai.com/2014/09/environment-bashing.html; default_proto:tcp; default_dst_port: $HTTP_PORT; classtype:attempted-admin; sid:5002205; rev:6;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[APACHE] Possible CVE-2014-6271 Attempt in HTTP URLENCODE Generic 27"; content:"|28 29 20|%7b%20"; program: apache|httpd; xbits: set, exploit_attempt ,track ip_src, expire 86400; parse_src_ip: 1; reference:url,blogs.akamai.com/2014/09/environment-bashing.html; default_proto:tcp; default_dst_port: $HTTP_PORT; classtype:attempted-admin; sid:5002206; rev:6;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[APACHE] Possible CVE-2014-6271 Attempt in HTTP URLENCODE Generic 28"; content:"|29 29|%20{|20|"; program: apache|httpd; xbits: set, exploit_attempt ,track ip_src, expire 86400; parse_src_ip: 1; reference:url,blogs.akamai.com/2014/09/environment-bashing.html; default_proto:tcp; default_dst_port: $HTTP_PORT; classtype:attempted-admin; sid:5002207; rev:6;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[APACHE] Possible CVE-2014-6271 Attempt in HTTP URLENCODE Generic 29"; content:"|28 29|%20%7b|20|"; program: apache|httpd; xbits: set, exploit_attempt ,track ip_src, expire 86400; parse_src_ip: 1; reference:url,blogs.akamai.com/2014/09/environment-bashing.html; default_proto:tcp; default_dst_port: $HTTP_PORT; classtype:attempted-admin; sid:5002208; rev:6;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[APACHE] Possible CVE-2014-6271 Attempt in HTTP URLENCODE Generic 30"; content:"|28 29|%20%7b%20"; program: apache|httpd; xbits: set, exploit_attempt ,track ip_src, expire 86400; parse_src_ip: 1; reference:url,blogs.akamai.com/2014/09/environment-bashing.html; default_proto:tcp; default_dst_port: $HTTP_PORT; classtype:attempted-admin; sid:5002209; rev:6;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[APACHE] CVE-2014-6271 Attempt In HTTP Headers Line Continuation Evasion LF"; content:"|28 29 0a 20 7b|"; program: apache|httpd; xbits: set, exploit_attempt ,track ip_src, expire 86400; parse_src_ip: 1; reference:url,www.invisiblethreat.ca/2014/09/cve-2014-6271/; default_proto:tcp; default_dst_port: $HTTP_PORT; classtype:attempted-admin; sid:5002210; rev:6;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[APACHE] CVE-2014-6271 Attempt In HTTP Headers Line Continuation Evasion CRLF"; content:"|28 29 0d 0a 20 7b|"; program: apache|httpd; xbits: set, exploit_attempt ,track ip_src, expire 86400; parse_src_ip: 1; reference:url,www.invisiblethreat.ca/2014/09/cve-2014-6271/; default_proto:tcp; default_dst_port: $HTTP_PORT; classtype:attempted-admin; sid:5002211; rev:6;)
举报
请认真填写举报原因,尽可能描述详细。
请选择举报类型
误判申诉
此处可能存在不合适展示的内容,页面不予展示。您可通过相关编辑功能自查并修改。
如您确认内容无涉及 不当用语 / 纯广告导流 / 暴力 / 低俗色情 / 侵权 / 盗版 / 虚假 / 无价值内容或违法国家有关法律法规的内容,可点击提交进行申诉,我们将尽快为您处理。
编辑仓库简介
简介内容
主页
马建仓 AI 助手
尝试更多
代码解读
代码找茬
代码优化