Linux Software & Blog
HowTo
Snorting the Web Farm
Jun 10th
Here are some rules for you snort freaks to chew on that I have found useful in web heavy environments.
alert tcp $HTTP_SERVERS $HTTP_PORTS -> any any (msg:"ET ATTACK RESPONSE x2300 phpshell detected"; content:"Locus7Shell"; nocase; classtype:web-application-activity; reference:url,www.rfxn.com; sid:300010; rev:1;) alert tcp $HTTP_SERVERS $HTTP_PORTS -> any any (msg:"ET ATTACK RESPONSE RFI Scanner detected"; content:"RFI Scanner"; classtype:web-application-activity; reference:url,www.rfxn.com; sid:300020; rev:2;) alert tcp $HTTP_SERVERS $HTTP_PORTS -> any any (msg:"ET ATTACK RESPONSE lila.jpg phpshell detected"; content:"CMD PHP"; classtype:web-application-activity; reference:url,www.rfxn.com; sid:300030; rev:2;) alert tcp $HTTP_SERVERS $HTTP_PORTS -> any any (msg:"ET ATTACK RESPONSE ALBANIA id.php detected"; content:"UNITED ALBANIANS aka ALBOSS PARADISE"; classtype:web-application-activity; reference:url,www.rfxn.com; sid:300040; rev:2;) alert tcp More >
BOGON Filtering, Update It
Apr 17th
One of the features used by APF to prevent address spoofing is that it filters reserved IP address space, also known as BOGON filtering. This is an otherwise very reliable method to keep out random unallocated spoofed addresses from injecting traffic towards your server, assuming of course the list is updated regularly.
We decided a few months ago that we would disable by default all remote features in APF, including the auto updating of the reserved networks file (BOGON filter list), however this was done with one ill-fated consequence… That if you do not turn on the update feature yourself you More >
