# Sagan apache.rules # Copyright (c) 2009-2017, Quadrant Information Security # All rights reserved. # # Please submit any custom rules or ideas to sagan-submit@quadrantsec.com or the sagan-sigs mailing list # #************************************************************* # Redistribution and use in source and binary forms, with or without modification, are permitted provided that the # following conditions are met: # # * Redistributions of source code must retain the above copyright notice, this list of conditions and the following # disclaimer. # * Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the # following disclaimer in the documentation and/or other materials provided with the distribution. # * Neither the name of the nor the names of its contributors may be used to endorse or promote products derived # from this software without specific prior written permission. # # THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS AS IS AND ANY EXPRESS OR IMPLIED WARRANTIES, # INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE # DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, # SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR # SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, # WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE # USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. # #************************************************************* # # In order for you to receive Apache logs via syslog, you'll need change your "CustomLog" configuration # entry in your Apache config to something like: # # CustomLog "|/usr/bin/logger -i -p local0.info -t apache2" common # #alert any $EXTERNAL_NET any -> $HOME_NET any ( msg:"[APACHE] Segmentation fault"; content: "signal Segmentation Fault"; default_proto:tcp; default_dst_port: $HTTP_PORT; classtype: program-error; program: apache|httpd; reference: url,wiki.quadrantsec.com/bin/view/Main/5000155; sid:5000155; rev:5;) alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[APACHE] Attempt to access forbidden file or directory [0/5]"; content: "denied by server configuration"; threshold: type limit, track by_src, count 5, seconds 300; xbits: set,recon,86400; default_proto:tcp; default_dst_port: $HTTP_PORT; classtype: permissions-violation ; program: apache|httpd; reference: url,wiki.quadrantsec.com/bin/view/Main/5000156; parse_src_ip: 1; sid:5000156; rev:9;) alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[APACHE] Attempt to access forbidden directory index"; content: "Directory index forbidden by rule [0/5]"; threshold: type limit, track by_src, count 5, seconds 300; xbits: set,recon,86400; default_proto:tcp; default_dst_port: $HTTP_PORT; classtype: permissions-violation; program: apache|httpd; reference: url,wiki.quadrantsec.com/bin/view/Main/5000157; parse_src_ip: 1; sid:5000157; rev:10;) alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[APACHE] Client sent malformed Host header"; content: "Client sent malformed Host header"; default_proto:tcp; default_dst_port: $HTTP_PORT; classtype: string-detect; program: apache|httpd; reference: url,wiki.quadrantsec.com/bin/view/Main/5000158; parse_src_ip: 1; sid:5000158; rev:7;) alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[APACHE] User authentication failed"; content: "authentication failed"; nocase; default_proto:tcp; default_dst_port: $HTTP_PORT; classtype: unsuccessful-user; program: apache|httpd; reference: url,wiki.quadrantsec.com/bin/view/Main/5000159; parse_src_ip: 1; sid:5000159; rev:7;) alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[APACHE] Attempt to login using a non-existent user"; pcre: "/user \S+ not found/i"; xbits: set,recon,86400; default_proto:tcp; default_dst_port: $HTTP_PORT; classtype: unsuccessful-user; program: apache|httpd; reference: url,wiki.quadrantsec.com/bin/view/Main/5000160; parse_src_ip: 1; sid:5000160; rev:8;) alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[APACHE] Rapid attempt to access a non-existent file or directory"; pcre: "/file does not exist|No such file or directory/i"; content:!"favicon.ico"; threshold:type limit, track by_src, count 20, seconds 60; xbits: set,recon,86400; default_proto:tcp; default_dst_port: $HTTP_PORT; classtype: suspicious-filename-detect; program: apache|httpd; reference: url,wiki.quadrantsec.com/bin/view/Main/5000161; parse_src_ip: 1; sid:5000161; rev:8;) alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[APACHE] Attempt to access a non-existent file or stream"; pcre: "/failed opening|failed to open stream/i"; default_proto:tcp; default_dst_port: $HTTP_PORT; classtype: suspicious-filename-detect; program: apache|httpd; reference: url,wiki.quadrantsec.com/bin/view/Main/5000378; parse_src_ip: 1; sid:5000378; rev:8;) alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[APACHE] Invalid URI in request"; content: "Invalid URI in request"; default_proto:tcp; default_dst_port: $HTTP_PORT; classtype: suspicious-traffic; program: apache|httpd; reference: url,wiki.quadrantsec.com/bin/view/Main/5000162; parse_src_ip: 1; sid:5000162; rev:7;) alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[APACHE] Invalid URI, file name too long"; content: "file name too long"; content: "URI too long"; default_proto:tcp; default_dst_port: $HTTP_PORT; classtype: suspicious-filename-detect; program: apache|httpd; reference: url,wiki.quadrantsec.com/bin/view/Main/5000163; parse_src_ip: 1; sid:5000163; rev:7;) alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[APACHE] Mod_Security Access denied"; pcre: "/modsecurity|mod_security|mod_security-message/i"; content: "access denied"; nocase; default_proto:tcp; default_dst_port: $HTTP_PORT; classtype: web-application-attack; program: apache|httpd; reference: url,wiki.quadrantsec.com/bin/view/Main/5000165; parse_src_ip: 1; sid:5000165; rev:7;) #alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[APACHE] Resource temporarily unavailable"; content: "Resource temporarily unavailable"; default_proto:tcp; default_dst_port: $HTTP_PORT; classtype: program-error; program: apache|httpd; reference: url,wiki.quadrantsec.com/bin/view/Main/5000166; parse_src_ip: 1; sid:5000166; rev:7;) alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[APACHE] Directory traversal attempt - 1"; content: "?C=S;O=A"; xbits: set,recon,86400; default_proto:tcp; default_dst_port: $HTTP_PORT; classtype: suspicious-traffic; program: apache|httpd; reference: url,wiki.quadrantsec.com/bin/view/Main/5000359; parse_src_ip: 1; sid: 5000359; rev:8;) alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[APACHE] Directory traversal attempt - 2"; content: "?C=M;O=A"; xbits: set,recon,86400; default_proto:tcp; default_dst_port: $HTTP_PORT; classtype: suspicious-traffic; program: apache|httpd; reference: url,wiki.quadrantsec.com/bin/view/Main/5000360; parse_src_ip: 1; sid: 5000360; rev:8;) alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[APACHE] Robots.txt access"; content: "robots.txt"; content:!" 404 "; xbits: set,recon,86400; default_proto:tcp; default_dst_port: $HTTP_PORT; classtype: unknown; program: apache|httpd; reference: url,wiki.quadrantsec.com/bin/view/Main/5000361; parse_src_ip: 1; sid: 5000361; rev:9;) alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[APACHE] PHPinfo access attempt [0/5]"; content: "phpinfo"; content:!" 404 "; xbits: set,recon,86400; default_proto:tcp; default_dst_port: $HTTP_PORT; classtype: attempted-recon; xbits: set, recon, 86400; program: apache|httpd; reference: url,wiki.quadrantsec.com/bin/view/Main/5000362; parse_src_ip: 1; threshold:type limit, track by_src, count 5, seconds 300; sid: 5000362; rev:11;) alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[APACHE] Php-my-admin access attempt [0/5]"; content: "phpmyadmin"; nocase; content:!" 404 "; xbits: set,recon,86400; default_proto:tcp; default_dst_port: $HTTP_PORT; classtype: web-application-attack; program: apachehttpd; reference: url,wiki.quadrantsec.com/bin/view/Main/5000364; parse_src_ip: 1; threshold:type limit, track by_src, count 5, seconds 300; sid: 5000364; rev:8;) # CVE-2014-6271 (09/24/2014 - Champ Clark III) alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[APACHE] Remote execution attempt via CVE-2014-6271"; content:"|28 29 20 7b 20|"; program: apache|httpd; default_proto:tcp; default_dst_port: $HTTP_PORT; classtype: exploit-attempt; xbits: set, exploit_attempt, 86400; parse_src_ip: 1; fwsam: src, 1 day; reference: url,wiki.quadrantsec.com/bin/view/Main/5002180; reference: url,web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-6271; sid:5002180; rev:6;) # CVE-2014-6271 (09/30/2014 - Champ Clark III) - These are modified Emerging Threats rules alert any any any -> $HTTP_SERVERS any (msg:"[APACHE] Possible CVE-2014-6271 Attempt in HTTP URLENCODE Generic 1"; content:"%28%29|20|{|20|"; program: apache|httpd; xbits: set, exploit_attempt, 86400; parse_src_ip: 1; fwsam: src, 1 day; reference:url,blogs.akamai.com/2014/09/environment-bashing.html; default_proto:tcp; default_dst_port: $HTTP_PORT; classtype:attempted-admin; sid:5002181; rev:3;) alert any any any -> $HTTP_SERVERS any (msg:"[APACHE] Possible CVE-2014-6271 Attempt in HTTP URLENCODE Generic 2"; content:"%28%29|20|{%20"; program: apache|httpd; xbits: set, exploit_attempt, 86400; parse_src_ip: 1; fwsam: src, 1 day; reference:url,blogs.akamai.com/2014/09/environment-bashing.html; default_proto:tcp; default_dst_port: $HTTP_PORT; classtype:attempted-admin; sid:5002182; rev:3;) alert any any any -> $HTTP_SERVERS any (msg:"[APACHE] Possible CVE-2014-6271 Attempt in HTTP URLENCODE Generic 3"; content:"%28%29|20|%7b|20|"; program: apache|httpd; xbits: set, exploit_attempt, 86400; parse_src_ip: 1; fwsam: src, 1 day; reference:url,blogs.akamai.com/2014/09/environment-bashing.html; default_proto:tcp; default_dst_port: $HTTP_PORT; classtype:attempted-admin; sid:5002183; rev:3;) alert any any any -> $HTTP_SERVERS any (msg:"[APACHE] Possible CVE-2014-6271 Attempt in HTTP URLENCODE Generic 4"; content:"%28%29|20|%7b%20"; program: apache|httpd; xbits: set, exploit_attempt, 86400; parse_src_ip: 1; fwsam: src, 1 day; reference:url,blogs.akamai.com/2014/09/environment-bashing.html; default_proto:tcp; default_dst_port: $HTTP_PORT; classtype:attempted-admin; sid:5002184; rev:3;) alert any any any -> $HTTP_SERVERS any (msg:"[APACHE] Possible CVE-2014-6271 Attempt in HTTP URLENCODE Generic 5"; content:"%28%29%20{|20|"; program: apache|httpd; xbits: set, exploit_attempt, 86400; parse_src_ip: 1; fwsam: src, 1 day; reference:url,blogs.akamai.com/2014/09/environment-bashing.html; default_proto:tcp; default_dst_port: $HTTP_PORT; classtype:attempted-admin; sid:5002185; rev:3;) alert any any any -> $HTTP_SERVERS any (msg:"[APACHE] Possible CVE-2014-6271 Attempt in HTTP URLENCODE Generic 6"; content:"%28%29%20{%20"; program: apache|httpd; xbits: set, exploit_attempt, 86400; parse_src_ip: 1; fwsam: src, 1 day; reference:url,blogs.akamai.com/2014/09/environment-bashing.html; default_proto:tcp; default_dst_port: $HTTP_PORT; classtype:attempted-admin; sid:5002186; rev:3;) alert any any any -> $HTTP_SERVERS any (msg:"[APACHE] Possible CVE-2014-6271 Attempt in HTTP URLENCODE Generic 7"; content:"%28%29%20%7b|20|"; program: apache|httpd; xbits: set, exploit_attempt, 86400; parse_src_ip: 1; fwsam: src, 1 day; reference:url,blogs.akamai.com/2014/09/environment-bashing.html; default_proto:tcp; default_dst_port: $HTTP_PORT; classtype:attempted-admin; sid:5002187; rev:3;) alert any any any -> $HTTP_SERVERS any (msg:"[APACHE] Possible CVE-2014-6271 Attempt in HTTP URLENCODE Generic 8"; content:"%28%29%20%7b%20"; program: apache|httpd; xbits: set, exploit_attempt, 86400; parse_src_ip: 1; fwsam: src, 1 day; reference:url,blogs.akamai.com/2014/09/environment-bashing.html; default_proto:tcp; default_dst_port: $HTTP_PORT; classtype:attempted-admin; sid:5002188; rev:3;) alert any any any -> $HTTP_SERVERS any (msg:"[APACHE] Possible CVE-2014-6271 Attempt in HTTP URLENCODE Generic 9"; content:"%28|20|{|20|"; program: apache|httpd; xbits: set, exploit_attempt, 86400; parse_src_ip: 1; fwsam: src, 1 day; reference:url,blogs.akamai.com/2014/09/environment-bashing.html; default_proto:tcp; default_dst_port: $HTTP_PORT; classtype:attempted-admin; sid:5002189; rev:3;) alert any any any -> $HTTP_SERVERS any (msg:"[APACHE] Possible CVE-2014-6271 Attempt in HTTP URLENCODE Generic 10"; content:"%28|20|{%20"; program: apache|httpd; xbits: set, exploit_attempt, 86400; parse_src_ip: 1; fwsam: src, 1 day; reference:url,blogs.akamai.com/2014/09/environment-bashing.html; default_proto:tcp; default_dst_port: $HTTP_PORT; classtype:attempted-admin; sid:5002190; rev:3;) alert any any any -> $HTTP_SERVERS any (msg:"[APACHE] Possible CVE-2014-6271 Attempt in HTTP URLENCODE Generic 11"; content:"%28|20|%7b|20|"; program: apache|httpd; xbits: set, exploit_attempt, 86400; parse_src_ip: 1; fwsam: src, 1 day; reference:url,blogs.akamai.com/2014/09/environment-bashing.html; default_proto:tcp; default_dst_port: $HTTP_PORT; classtype:attempted-admin; sid:5002212; rev:3;) alert any any any -> $HTTP_SERVERS any (msg:"[APACHE] Possible CVE-2014-6271 Attempt in HTTP URLENCODE Generic 12"; content:"%28|20|%7b%20"; program: apache|httpd; xbits: set, exploit_attempt, 86400; parse_src_ip: 1; fwsam: src, 1 day; reference:url,blogs.akamai.com/2014/09/environment-bashing.html; default_proto:tcp; default_dst_port: $HTTP_PORT; classtype:attempted-admin; sid:5002191; rev:3;) alert any any any -> $HTTP_SERVERS any (msg:"[APACHE] Possible CVE-2014-6271 Attempt in HTTP URLENCODE Generic 13"; content:"%28%20{|20|"; program: apache|httpd; xbits: set, exploit_attempt, 86400; parse_src_ip: 1; fwsam: src, 1 day; reference:url,blogs.akamai.com/2014/09/environment-bashing.html; default_proto:tcp; default_dst_port: $HTTP_PORT; classtype:attempted-admin; sid:5002192; rev:3;) alert any any any -> $HTTP_SERVERS any (msg:"[APACHE] Possible CVE-2014-6271 Attempt in HTTP URLENCODE Generic 14"; content:"%28%20{%20"; program: apache|httpd; xbits: set, exploit_attempt, 86400; parse_src_ip: 1; fwsam: src, 1 day; reference:url,blogs.akamai.com/2014/09/environment-bashing.html; default_proto:tcp; default_dst_port: $HTTP_PORT; classtype:attempted-admin; sid:5002193; rev:3;) alert any any any -> $HTTP_SERVERS any (msg:"[APACHE] Possible CVE-2014-6271 Attempt in HTTP URLENCODE Generic 15"; content:"%28%20%7b|20|"; program: apache|httpd; xbits: set, exploit_attempt, 86400; parse_src_ip: 1; fwsam: src, 1 day; reference:url,blogs.akamai.com/2014/09/environment-bashing.html; default_proto:tcp; default_dst_port: $HTTP_PORT; classtype:attempted-admin; sid:5002194; rev:3;) alert any any any -> $HTTP_SERVERS any (msg:"[APACHE] Possible CVE-2014-6271 Attempt in HTTP URLENCODE Generic 16"; content:"%28%20%7b%20"; program: apache|httpd; xbits: set, exploit_attempt, 86400; parse_src_ip: 1; fwsam: src, 1 day; reference:url,blogs.akamai.com/2014/09/environment-bashing.html; default_proto:tcp; default_dst_port: $HTTP_PORT; classtype:attempted-admin; sid:5002195; rev:3;) alert any any any -> $HTTP_SERVERS any (msg:"[APACHE] Possible CVE-2014-6271 Attempt in HTTP URLENCODE Generic 17"; content:"|28|%29|20|{|20|"; program: apache|httpd; xbits: set, exploit_attempt, 86400; parse_src_ip: 1; fwsam: src, 1 day; reference:url,blogs.akamai.com/2014/09/environment-bashing.html; default_proto:tcp; default_dst_port: $HTTP_PORT; classtype:attempted-admin; sid:5002196; rev:3;) alert any any any -> $HTTP_SERVERS any (msg:"[APACHE] Possible CVE-2014-6271 Attempt in HTTP URLENCODE Generic 18"; content:"|28|%29|20|{%20"; program: apache|httpd; xbits: set, exploit_attempt, 86400; parse_src_ip: 1; fwsam: src, 1 day; reference:url,blogs.akamai.com/2014/09/environment-bashing.html; default_proto:tcp; default_dst_port: $HTTP_PORT; classtype:attempted-admin; sid:5002197; rev:3;) alert any any any -> $HTTP_SERVERS any (msg:"[APACHE] Possible CVE-2014-6271 Attempt in HTTP URLENCODE Generic 19"; content:"|28|%29|20|%7b|20|"; program: apache|httpd; xbits: set, exploit_attempt, 86400; parse_src_ip: 1; fwsam: src, 1 day; reference:url,blogs.akamai.com/2014/09/environment-bashing.html; default_proto:tcp; default_dst_port: $HTTP_PORT; classtype:attempted-admin; sid:5002198; rev:3;) alert any any any -> $HTTP_SERVERS any (msg:"[APACHE] Possible CVE-2014-6271 Attempt in HTTP URLENCODE Generic 20"; content:"|28|%29|20|%7b%20"; program: apache|httpd; xbits: set, exploit_attempt, 86400; parse_src_ip: 1; fwsam: src, 1 day; reference:url,blogs.akamai.com/2014/09/environment-bashing.html; default_proto:tcp; default_dst_port: $HTTP_PORT; classtype:attempted-admin; sid:5002199; rev:3;) alert any any any -> $HTTP_SERVERS any (msg:"[APACHE] Possible CVE-2014-6271 Attempt in HTTP URLENCODE Generic 21"; content:"|28|%29%20{|20|"; program: apache|httpd; xbits: set, exploit_attempt, 86400; parse_src_ip: 1; fwsam: src, 1 day; reference:url,blogs.akamai.com/2014/09/environment-bashing.html; default_proto:tcp; default_dst_port: $HTTP_PORT; classtype:attempted-admin; sid:5002200; rev:3;) alert any any any -> $HTTP_SERVERS any (msg:"[APACHE] Possible CVE-2014-6271 Attempt in HTTP URLENCODE Generic 22"; content:"|28|%29%20{%20"; program: apache|httpd; xbits: set, exploit_attempt, 86400; parse_src_ip: 1; fwsam: src, 1 day; reference:url,blogs.akamai.com/2014/09/environment-bashing.html; default_proto:tcp; default_dst_port: $HTTP_PORT; classtype:attempted-admin; sid:5002201; rev:3;) alert any any any -> $HTTP_SERVERS any (msg:"[APACHE] Possible CVE-2014-6271 Attempt in HTTP URLENCODE Generic 23"; content:"|28|%29%20%7b|20|"; program: apache|httpd; xbits: set, exploit_attempt, 86400; parse_src_ip: 1; fwsam: src, 1 day; reference:url,blogs.akamai.com/2014/09/environment-bashing.html; default_proto:tcp; default_dst_port: $HTTP_PORT; classtype:attempted-admin; sid:5002202; rev:3;) alert any any any -> $HTTP_SERVERS any (msg:"[APACHE] Possible CVE-2014-6271 Attempt in HTTP URLENCODE Generic 24"; content:"|28|%29%20%7b%20"; program: apache|httpd; xbits: set, exploit_attempt, 86400; parse_src_ip: 1; fwsam: src, 1 day; reference:url,blogs.akamai.com/2014/09/environment-bashing.html; default_proto:tcp; default_dst_port: $HTTP_PORT; classtype:attempted-admin; sid:5002203; rev:3;) alert any any any -> $HTTP_SERVERS any (msg:"[APACHE] Possible CVE-2014-6271 Attempt in HTTP URLENCODE Generic 25"; content:"|28 29 20|{%20"; program: apache|httpd; xbits: set, exploit_attempt, 86400; parse_src_ip: 1; fwsam: src, 1 day; reference:url,blogs.akamai.com/2014/09/environment-bashing.html; default_proto:tcp; default_dst_port: $HTTP_PORT; classtype:attempted-admin; sid:5002204; rev:3;) alert any any any -> $HTTP_SERVERS any (msg:"[APACHE] Possible CVE-2014-6271 Attempt in HTTP URLENCODE Generic 26"; content:"|28 29 20|%7b|20|"; program: apache|httpd; xbits: set, exploit_attempt, 86400; parse_src_ip: 1; fwsam: src, 1 day; reference:url,blogs.akamai.com/2014/09/environment-bashing.html; default_proto:tcp; default_dst_port: $HTTP_PORT; classtype:attempted-admin; sid:5002205; rev:3;) alert any any any -> $HTTP_SERVERS any (msg:"[APACHE] Possible CVE-2014-6271 Attempt in HTTP URLENCODE Generic 27"; content:"|28 29 20|%7b%20"; program: apache|httpd; xbits: set, exploit_attempt, 86400; parse_src_ip: 1; fwsam: src, 1 day; reference:url,blogs.akamai.com/2014/09/environment-bashing.html; default_proto:tcp; default_dst_port: $HTTP_PORT; classtype:attempted-admin; sid:5002206; rev:3;) alert any any any -> $HTTP_SERVERS any (msg:"[APACHE] Possible CVE-2014-6271 Attempt in HTTP URLENCODE Generic 28"; content:"|29 29|%20{|20|"; program: apache|httpd; xbits: set, exploit_attempt, 86400; parse_src_ip: 1; fwsam: src, 1 day; reference:url,blogs.akamai.com/2014/09/environment-bashing.html; default_proto:tcp; default_dst_port: $HTTP_PORT; classtype:attempted-admin; sid:5002207; rev:3;) alert any any any -> $HTTP_SERVERS any (msg:"[APACHE] Possible CVE-2014-6271 Attempt in HTTP URLENCODE Generic 29"; content:"|28 29|%20%7b|20|"; program: apache|httpd; xbits: set, exploit_attempt, 86400; parse_src_ip: 1; fwsam: src, 1 day; reference:url,blogs.akamai.com/2014/09/environment-bashing.html; default_proto:tcp; default_dst_port: $HTTP_PORT; classtype:attempted-admin; sid:5002208; rev:3;) alert any any any -> $HTTP_SERVERS any (msg:"[APACHE] Possible CVE-2014-6271 Attempt in HTTP URLENCODE Generic 30"; content:"|28 29|%20%7b%20"; program: apache|httpd; xbits: set, exploit_attempt, 86400; parse_src_ip: 1; fwsam: src, 1 day; reference:url,blogs.akamai.com/2014/09/environment-bashing.html; default_proto:tcp; default_dst_port: $HTTP_PORT; classtype:attempted-admin; sid:5002209; rev:3;) alert any any any -> $HTTP_SERVERS any (msg:"[APACHE] CVE-2014-6271 Attempt In HTTP Headers Line Continuation Evasion LF"; content:"|28 29 0a 20 7b|"; program: apache|httpd; xbits: set, exploit_attempt, 86400; parse_src_ip: 1; fwsam: src, 1 day; reference:url,www.invisiblethreat.ca/2014/09/cve-2014-6271/; default_proto:tcp; default_dst_port: $HTTP_PORT; classtype:attempted-admin; sid:5002210; rev:3;) alert any any any -> $HTTP_SERVERS any (msg:"[APACHE] CVE-2014-6271 Attempt In HTTP Headers Line Continuation Evasion CRLF"; content:"|28 29 0d 0a 20 7b|"; program: apache|httpd; xbits: set, exploit_attempt, 86400; parse_src_ip: 1; fwsam: src, 1 day; reference:url,www.invisiblethreat.ca/2014/09/cve-2014-6271/; default_proto:tcp; default_dst_port: $HTTP_PORT; classtype:attempted-admin; sid:5002211; rev:2;)