I think that to protect a web server, especially regarding any deviation of from the HTTP protocol, you may get more from a dedicated web intrusion detection system such as ModSecurity (www.modsecurity.org).
We have recently released a new core rule set for ModSecurity that addresses such as malformed URIs and HTTP requests. ~ Ofer Shezaf www.modsecurity.org www.breach.com > -----Original Message----- > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] > On Behalf Of [EMAIL PROTECTED] > Sent: Friday, October 27, 2006 2:02 AM > To: [email protected] > Subject: Snort rules to detect malformed http scanning > > I would liek to add rule to my snort database which can block scanning of > malformed urls. > > We are runnning our website in CGI which eventually generated mix of java > script based HTml code. > > Few days back we are experiencing traffic from scanners and bots which > scans our website for PHP files,which we don't have. > > I would like to block IP addresses of this types of scan genration. > > ------------------------------------------------------------------------ > Test Your IDS > > Is your IDS deployed correctly? > Find out quickly and easily by testing it > with real-world attacks from CORE IMPACT. > Go to > http://www.coresecurity.com/index.php5?module=Form&action=impact&campaig n= > intro_sfw > to learn more. > ------------------------------------------------------------------------ ------------------------------------------------------------------------ Test Your IDS Is your IDS deployed correctly? Find out quickly and easily by testing it with real-world attacks from CORE IMPACT. Go to http://www.coresecurity.com/index.php5?module=Form&action=impact&campaign=intro_sfw to learn more. ------------------------------------------------------------------------
