May 2003
Intermediate to advanced
360 pages
10h 27m
English
This category of rule encompasses traffic that is definitely out of the ordinary, and is potentially indicative of a compromised system. Attack response rules fall into this category. Take this directory listing rule for example:
alert tcp $HTTP_SERVERS $HTTP_PORTS -> $EXTERNAL_NET any (msg:"ATTACK RESPONSES http dir listing"; content: "Volume Serial Number"; flow:from_server,established; classtype:bad-unknown;)
Alerts generated by this rule signify that "Volume Serial Number" content has been detected coming from a Web server. This type of content is usually detected when an attacker is able to execute commands and pass the output through a Web server. Attackers can do this by escaping out of the Web server document ...
Read now
Unlock full access