File: apache.rules

package info (click to toggle)
sagan-rules 1:20170725-1
  • links: PTS
  • area: main
  • in suites: bullseye, buster, sid
  • size: 3,460 kB
  • sloc: makefile: 5
file content (89 lines) | stat: -rw-r--r-- 21,789 bytes parent folder | download | duplicates (2)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
# Sagan apache.rules
# Copyright (c) 2009-2017, Quadrant Information Security <www.quadrantsec.com>
# All rights reserved.
#
# Please submit any custom rules or ideas to sagan-submit@quadrantsec.com or the sagan-sigs mailing list
#
#*************************************************************
#  Redistribution and use in source and binary forms, with or without modification, are permitted provided that the
#  following conditions are met:
#
#  * Redistributions of source code must retain the above copyright notice, this list of conditions and the following
#    disclaimer.
#  * Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the
#    following disclaimer in the documentation and/or other materials provided with the distribution.
#  * Neither the name of the nor the names of its contributors may be used to endorse or promote products derived
#    from this software without specific prior written permission.
#
#  THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS AS IS AND ANY EXPRESS OR IMPLIED WARRANTIES,
#  INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
#  DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
#  SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
#  SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
#  WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE
#  USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
#
#*************************************************************
#
# In order for you to receive Apache logs via syslog,  you'll need change your "CustomLog" configuration
# entry in your Apache config to something like:
#
# CustomLog "|/usr/bin/logger -i -p local0.info -t apache2" common
#

#alert any $EXTERNAL_NET any -> $HOME_NET any ( msg:"[APACHE] Segmentation fault"; content: "signal Segmentation Fault"; default_proto:tcp; default_dst_port: $HTTP_PORT; classtype: program-error; program: apache|httpd; reference: url,wiki.quadrantsec.com/bin/view/Main/5000155; sid:5000155; rev:5;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[APACHE] Attempt to access forbidden file or directory [0/5]"; content: "denied by server configuration"; threshold: type limit, track by_src, count 5, seconds 300; xbits: set,recon,86400; default_proto:tcp; default_dst_port: $HTTP_PORT; classtype: permissions-violation ; program: apache|httpd; reference: url,wiki.quadrantsec.com/bin/view/Main/5000156; parse_src_ip: 1; sid:5000156; rev:9;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[APACHE] Attempt to access forbidden directory index"; content: "Directory index forbidden by rule [0/5]"; threshold: type limit, track by_src, count 5, seconds 300; xbits: set,recon,86400; default_proto:tcp; default_dst_port: $HTTP_PORT; classtype: permissions-violation; program: apache|httpd; reference: url,wiki.quadrantsec.com/bin/view/Main/5000157; parse_src_ip: 1; sid:5000157; rev:10;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[APACHE] Client sent malformed Host header"; content: "Client sent malformed Host header"; default_proto:tcp; default_dst_port: $HTTP_PORT; classtype: string-detect; program: apache|httpd; reference: url,wiki.quadrantsec.com/bin/view/Main/5000158; parse_src_ip: 1; sid:5000158; rev:7;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[APACHE] User authentication failed"; content: "authentication failed"; nocase; default_proto:tcp; default_dst_port: $HTTP_PORT; classtype: unsuccessful-user; program: apache|httpd; reference: url,wiki.quadrantsec.com/bin/view/Main/5000159; parse_src_ip: 1; sid:5000159; rev:7;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[APACHE] Attempt to login using a non-existent user"; pcre: "/user \S+ not found/i"; xbits: set,recon,86400; default_proto:tcp; default_dst_port: $HTTP_PORT; classtype: unsuccessful-user; program: apache|httpd; reference: url,wiki.quadrantsec.com/bin/view/Main/5000160; parse_src_ip: 1; sid:5000160; rev:8;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[APACHE] Rapid attempt to access a non-existent file or directory"; pcre: "/file does not exist|No such file or directory/i"; content:!"favicon.ico"; threshold:type limit, track by_src, count 20, seconds 60; xbits: set,recon,86400; default_proto:tcp; default_dst_port: $HTTP_PORT; classtype: suspicious-filename-detect; program: apache|httpd; reference: url,wiki.quadrantsec.com/bin/view/Main/5000161; parse_src_ip: 1; sid:5000161; rev:8;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[APACHE] Attempt to access a non-existent file or stream"; pcre: "/failed opening|failed to open stream/i"; default_proto:tcp; default_dst_port: $HTTP_PORT; classtype: suspicious-filename-detect; program: apache|httpd; reference: url,wiki.quadrantsec.com/bin/view/Main/5000378; parse_src_ip: 1; sid:5000378; rev:8;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[APACHE] Invalid URI in request"; content: "Invalid URI in request"; default_proto:tcp; default_dst_port: $HTTP_PORT; classtype: suspicious-traffic; program: apache|httpd; reference: url,wiki.quadrantsec.com/bin/view/Main/5000162; parse_src_ip: 1; sid:5000162; rev:7;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[APACHE] Invalid URI, file name too long"; content: "file name too long"; content: "URI too long"; default_proto:tcp; default_dst_port: $HTTP_PORT; classtype: suspicious-filename-detect; program: apache|httpd; reference: url,wiki.quadrantsec.com/bin/view/Main/5000163; parse_src_ip: 1; sid:5000163; rev:7;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[APACHE] Mod_Security Access denied"; pcre: "/modsecurity|mod_security|mod_security-message/i"; content: "access denied"; nocase; default_proto:tcp; default_dst_port: $HTTP_PORT; classtype: web-application-attack; program: apache|httpd; reference: url,wiki.quadrantsec.com/bin/view/Main/5000165; parse_src_ip: 1; sid:5000165; rev:7;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[APACHE] Resource temporarily unavailable"; content: "Resource temporarily unavailable"; default_proto:tcp; default_dst_port: $HTTP_PORT; classtype: program-error; program: apache|httpd; reference: url,wiki.quadrantsec.com/bin/view/Main/5000166; parse_src_ip: 1; sid:5000166; rev:7;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[APACHE] Directory traversal attempt - 1"; content: "?C=S;O=A"; xbits: set,recon,86400; default_proto:tcp; default_dst_port: $HTTP_PORT; classtype: suspicious-traffic; program: apache|httpd; reference: url,wiki.quadrantsec.com/bin/view/Main/5000359; parse_src_ip: 1; sid: 5000359; rev:8;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[APACHE] Directory traversal attempt - 2"; content: "?C=M;O=A"; xbits: set,recon,86400; default_proto:tcp; default_dst_port: $HTTP_PORT; classtype: suspicious-traffic; program: apache|httpd; reference: url,wiki.quadrantsec.com/bin/view/Main/5000360; parse_src_ip: 1; sid: 5000360; rev:8;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[APACHE] Robots.txt access"; content: "robots.txt"; content:!" 404 "; xbits: set,recon,86400; default_proto:tcp; default_dst_port: $HTTP_PORT; classtype: unknown; program: apache|httpd; reference: url,wiki.quadrantsec.com/bin/view/Main/5000361; parse_src_ip: 1; sid: 5000361; rev:9;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[APACHE] PHPinfo access attempt [0/5]"; content: "phpinfo"; content:!" 404 "; xbits: set,recon,86400; default_proto:tcp; default_dst_port: $HTTP_PORT; classtype: attempted-recon; xbits: set, recon, 86400; program: apache|httpd; reference: url,wiki.quadrantsec.com/bin/view/Main/5000362; parse_src_ip: 1; threshold:type limit, track by_src, count 5, seconds 300; sid: 5000362; rev:11;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[APACHE] Php-my-admin access attempt [0/5]"; content: "phpmyadmin"; nocase; content:!" 404 "; xbits: set,recon,86400; default_proto:tcp; default_dst_port: $HTTP_PORT; classtype: web-application-attack; program: apachehttpd; reference: url,wiki.quadrantsec.com/bin/view/Main/5000364; parse_src_ip: 1; threshold:type limit, track by_src, count 5, seconds 300; sid: 5000364; rev:8;)

# CVE-2014-6271 (09/24/2014 - Champ Clark III)

alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[APACHE] Remote execution attempt via CVE-2014-6271"; content:"|28 29 20 7b 20|"; program: apache|httpd; default_proto:tcp; default_dst_port: $HTTP_PORT; classtype: exploit-attempt; xbits: set, exploit_attempt, 86400; parse_src_ip: 1; fwsam: src, 1 day; reference: url,wiki.quadrantsec.com/bin/view/Main/5002180; reference: url,web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-6271; sid:5002180; rev:6;)

# CVE-2014-6271 (09/30/2014 - Champ Clark III) - These are modified Emerging Threats rules

alert any any any -> $HTTP_SERVERS any (msg:"[APACHE] Possible CVE-2014-6271 Attempt in HTTP URLENCODE Generic 1"; content:"%28%29|20|{|20|"; program: apache|httpd; xbits: set, exploit_attempt, 86400; parse_src_ip: 1; fwsam: src, 1 day; reference:url,blogs.akamai.com/2014/09/environment-bashing.html; default_proto:tcp; default_dst_port: $HTTP_PORT; classtype:attempted-admin; sid:5002181; rev:3;)
alert any any any -> $HTTP_SERVERS any (msg:"[APACHE] Possible CVE-2014-6271 Attempt in HTTP URLENCODE Generic 2"; content:"%28%29|20|{%20"; program: apache|httpd; xbits: set, exploit_attempt, 86400; parse_src_ip: 1; fwsam: src, 1 day; reference:url,blogs.akamai.com/2014/09/environment-bashing.html; default_proto:tcp; default_dst_port: $HTTP_PORT; classtype:attempted-admin; sid:5002182; rev:3;)
alert any any any -> $HTTP_SERVERS any (msg:"[APACHE] Possible CVE-2014-6271 Attempt in HTTP URLENCODE Generic 3"; content:"%28%29|20|%7b|20|"; program: apache|httpd; xbits: set, exploit_attempt, 86400; parse_src_ip: 1; fwsam: src, 1 day; reference:url,blogs.akamai.com/2014/09/environment-bashing.html; default_proto:tcp; default_dst_port: $HTTP_PORT; classtype:attempted-admin; sid:5002183; rev:3;)
alert any any any -> $HTTP_SERVERS any (msg:"[APACHE] Possible CVE-2014-6271 Attempt in HTTP URLENCODE Generic 4"; content:"%28%29|20|%7b%20"; program: apache|httpd; xbits: set, exploit_attempt, 86400; parse_src_ip: 1; fwsam: src, 1 day; reference:url,blogs.akamai.com/2014/09/environment-bashing.html; default_proto:tcp; default_dst_port: $HTTP_PORT; classtype:attempted-admin; sid:5002184; rev:3;)
alert any any any -> $HTTP_SERVERS any (msg:"[APACHE] Possible CVE-2014-6271 Attempt in HTTP URLENCODE Generic 5"; content:"%28%29%20{|20|"; program: apache|httpd; xbits: set, exploit_attempt, 86400; parse_src_ip: 1; fwsam: src, 1 day; reference:url,blogs.akamai.com/2014/09/environment-bashing.html; default_proto:tcp; default_dst_port: $HTTP_PORT; classtype:attempted-admin; sid:5002185; rev:3;)
alert any any any -> $HTTP_SERVERS any (msg:"[APACHE] Possible CVE-2014-6271 Attempt in HTTP URLENCODE Generic 6"; content:"%28%29%20{%20"; program: apache|httpd; xbits: set, exploit_attempt, 86400; parse_src_ip: 1; fwsam: src, 1 day; reference:url,blogs.akamai.com/2014/09/environment-bashing.html; default_proto:tcp; default_dst_port: $HTTP_PORT; classtype:attempted-admin; sid:5002186; rev:3;)
alert any any any -> $HTTP_SERVERS any (msg:"[APACHE] Possible CVE-2014-6271 Attempt in HTTP URLENCODE Generic 7"; content:"%28%29%20%7b|20|"; program: apache|httpd; xbits: set, exploit_attempt, 86400; parse_src_ip: 1; fwsam: src, 1 day; reference:url,blogs.akamai.com/2014/09/environment-bashing.html; default_proto:tcp; default_dst_port: $HTTP_PORT; classtype:attempted-admin; sid:5002187; rev:3;)
alert any any any -> $HTTP_SERVERS any (msg:"[APACHE] Possible CVE-2014-6271 Attempt in HTTP URLENCODE Generic 8"; content:"%28%29%20%7b%20"; program: apache|httpd; xbits: set, exploit_attempt, 86400; parse_src_ip: 1; fwsam: src, 1 day; reference:url,blogs.akamai.com/2014/09/environment-bashing.html; default_proto:tcp; default_dst_port: $HTTP_PORT; classtype:attempted-admin; sid:5002188; rev:3;)
alert any any any -> $HTTP_SERVERS any (msg:"[APACHE] Possible CVE-2014-6271 Attempt in HTTP URLENCODE Generic 9"; content:"%28|20|{|20|"; program: apache|httpd; xbits: set, exploit_attempt, 86400; parse_src_ip: 1; fwsam: src, 1 day; reference:url,blogs.akamai.com/2014/09/environment-bashing.html; default_proto:tcp; default_dst_port: $HTTP_PORT; classtype:attempted-admin; sid:5002189; rev:3;)
alert any any any -> $HTTP_SERVERS any (msg:"[APACHE] Possible CVE-2014-6271 Attempt in HTTP URLENCODE Generic 10"; content:"%28|20|{%20"; program: apache|httpd; xbits: set, exploit_attempt, 86400; parse_src_ip: 1; fwsam: src, 1 day; reference:url,blogs.akamai.com/2014/09/environment-bashing.html; default_proto:tcp; default_dst_port: $HTTP_PORT; classtype:attempted-admin; sid:5002190; rev:3;)
alert any any any -> $HTTP_SERVERS any (msg:"[APACHE] Possible CVE-2014-6271 Attempt in HTTP URLENCODE Generic 11"; content:"%28|20|%7b|20|"; program: apache|httpd; xbits: set, exploit_attempt, 86400; parse_src_ip: 1; fwsam: src, 1 day; reference:url,blogs.akamai.com/2014/09/environment-bashing.html; default_proto:tcp; default_dst_port: $HTTP_PORT; classtype:attempted-admin; sid:5002212; rev:3;)
alert any any any -> $HTTP_SERVERS any (msg:"[APACHE] Possible CVE-2014-6271 Attempt in HTTP URLENCODE Generic 12"; content:"%28|20|%7b%20"; program: apache|httpd; xbits: set, exploit_attempt, 86400; parse_src_ip: 1; fwsam: src, 1 day; reference:url,blogs.akamai.com/2014/09/environment-bashing.html; default_proto:tcp; default_dst_port: $HTTP_PORT; classtype:attempted-admin; sid:5002191; rev:3;)
alert any any any -> $HTTP_SERVERS any (msg:"[APACHE] Possible CVE-2014-6271 Attempt in HTTP URLENCODE Generic 13"; content:"%28%20{|20|"; program: apache|httpd; xbits: set, exploit_attempt, 86400; parse_src_ip: 1; fwsam: src, 1 day; reference:url,blogs.akamai.com/2014/09/environment-bashing.html; default_proto:tcp; default_dst_port: $HTTP_PORT; classtype:attempted-admin; sid:5002192; rev:3;)
alert any any any -> $HTTP_SERVERS any (msg:"[APACHE] Possible CVE-2014-6271 Attempt in HTTP URLENCODE Generic 14"; content:"%28%20{%20"; program: apache|httpd; xbits: set, exploit_attempt, 86400; parse_src_ip: 1; fwsam: src, 1 day; reference:url,blogs.akamai.com/2014/09/environment-bashing.html; default_proto:tcp; default_dst_port: $HTTP_PORT; classtype:attempted-admin; sid:5002193; rev:3;)
alert any any any -> $HTTP_SERVERS any (msg:"[APACHE] Possible CVE-2014-6271 Attempt in HTTP URLENCODE Generic 15"; content:"%28%20%7b|20|"; program: apache|httpd; xbits: set, exploit_attempt, 86400; parse_src_ip: 1; fwsam: src, 1 day; reference:url,blogs.akamai.com/2014/09/environment-bashing.html; default_proto:tcp; default_dst_port: $HTTP_PORT; classtype:attempted-admin; sid:5002194; rev:3;)
alert any any any -> $HTTP_SERVERS any (msg:"[APACHE] Possible CVE-2014-6271 Attempt in HTTP URLENCODE Generic 16"; content:"%28%20%7b%20"; program: apache|httpd; xbits: set, exploit_attempt, 86400; parse_src_ip: 1; fwsam: src, 1 day; reference:url,blogs.akamai.com/2014/09/environment-bashing.html; default_proto:tcp; default_dst_port: $HTTP_PORT; classtype:attempted-admin; sid:5002195; rev:3;)
alert any any any -> $HTTP_SERVERS any (msg:"[APACHE] Possible CVE-2014-6271 Attempt in HTTP URLENCODE Generic 17"; content:"|28|%29|20|{|20|"; program: apache|httpd; xbits: set, exploit_attempt, 86400; parse_src_ip: 1; fwsam: src, 1 day;  reference:url,blogs.akamai.com/2014/09/environment-bashing.html; default_proto:tcp; default_dst_port: $HTTP_PORT; classtype:attempted-admin; sid:5002196; rev:3;)
alert any any any -> $HTTP_SERVERS any (msg:"[APACHE] Possible CVE-2014-6271 Attempt in HTTP URLENCODE Generic 18"; content:"|28|%29|20|{%20"; program: apache|httpd; xbits: set, exploit_attempt, 86400; parse_src_ip: 1; fwsam: src, 1 day; reference:url,blogs.akamai.com/2014/09/environment-bashing.html; default_proto:tcp; default_dst_port: $HTTP_PORT; classtype:attempted-admin; sid:5002197; rev:3;)
alert any any any -> $HTTP_SERVERS any (msg:"[APACHE] Possible CVE-2014-6271 Attempt in HTTP URLENCODE Generic 19"; content:"|28|%29|20|%7b|20|"; program: apache|httpd; xbits: set, exploit_attempt, 86400; parse_src_ip: 1; fwsam: src, 1 day; reference:url,blogs.akamai.com/2014/09/environment-bashing.html; default_proto:tcp; default_dst_port: $HTTP_PORT; classtype:attempted-admin; sid:5002198; rev:3;)
alert any any any -> $HTTP_SERVERS any (msg:"[APACHE] Possible CVE-2014-6271 Attempt in HTTP URLENCODE Generic 20"; content:"|28|%29|20|%7b%20"; program: apache|httpd; xbits: set, exploit_attempt, 86400; parse_src_ip: 1; fwsam: src, 1 day; reference:url,blogs.akamai.com/2014/09/environment-bashing.html; default_proto:tcp; default_dst_port: $HTTP_PORT; classtype:attempted-admin; sid:5002199; rev:3;)
alert any any any -> $HTTP_SERVERS any (msg:"[APACHE] Possible CVE-2014-6271 Attempt in HTTP URLENCODE Generic 21"; content:"|28|%29%20{|20|"; program: apache|httpd; xbits: set, exploit_attempt, 86400; parse_src_ip: 1; fwsam: src, 1 day; reference:url,blogs.akamai.com/2014/09/environment-bashing.html; default_proto:tcp; default_dst_port: $HTTP_PORT; classtype:attempted-admin; sid:5002200; rev:3;)
alert any any any -> $HTTP_SERVERS any (msg:"[APACHE] Possible CVE-2014-6271 Attempt in HTTP URLENCODE Generic 22"; content:"|28|%29%20{%20"; program: apache|httpd; xbits: set, exploit_attempt, 86400; parse_src_ip: 1; fwsam: src, 1 day; reference:url,blogs.akamai.com/2014/09/environment-bashing.html; default_proto:tcp; default_dst_port: $HTTP_PORT; classtype:attempted-admin; sid:5002201; rev:3;)
alert any any any -> $HTTP_SERVERS any (msg:"[APACHE] Possible CVE-2014-6271 Attempt in HTTP URLENCODE Generic 23"; content:"|28|%29%20%7b|20|"; program: apache|httpd; xbits: set, exploit_attempt, 86400; parse_src_ip: 1; fwsam: src, 1 day; reference:url,blogs.akamai.com/2014/09/environment-bashing.html; default_proto:tcp; default_dst_port: $HTTP_PORT; classtype:attempted-admin; sid:5002202; rev:3;)
alert any any any -> $HTTP_SERVERS any (msg:"[APACHE] Possible CVE-2014-6271 Attempt in HTTP URLENCODE Generic 24"; content:"|28|%29%20%7b%20"; program: apache|httpd; xbits: set, exploit_attempt, 86400; parse_src_ip: 1; fwsam: src, 1 day; reference:url,blogs.akamai.com/2014/09/environment-bashing.html; default_proto:tcp; default_dst_port: $HTTP_PORT; classtype:attempted-admin; sid:5002203; rev:3;)
alert any any any -> $HTTP_SERVERS any (msg:"[APACHE] Possible CVE-2014-6271 Attempt in HTTP URLENCODE Generic 25"; content:"|28 29 20|{%20"; program: apache|httpd; xbits: set, exploit_attempt, 86400; parse_src_ip: 1; fwsam: src, 1 day; reference:url,blogs.akamai.com/2014/09/environment-bashing.html; default_proto:tcp; default_dst_port: $HTTP_PORT; classtype:attempted-admin; sid:5002204; rev:3;)
alert any any any -> $HTTP_SERVERS any (msg:"[APACHE] Possible CVE-2014-6271 Attempt in HTTP URLENCODE Generic 26"; content:"|28 29 20|%7b|20|"; program: apache|httpd; xbits: set, exploit_attempt, 86400; parse_src_ip: 1; fwsam: src, 1 day; reference:url,blogs.akamai.com/2014/09/environment-bashing.html; default_proto:tcp; default_dst_port: $HTTP_PORT; classtype:attempted-admin; sid:5002205; rev:3;)
alert any any any -> $HTTP_SERVERS any (msg:"[APACHE] Possible CVE-2014-6271 Attempt in HTTP URLENCODE Generic 27"; content:"|28 29 20|%7b%20"; program: apache|httpd; xbits: set, exploit_attempt, 86400; parse_src_ip: 1; fwsam: src, 1 day; reference:url,blogs.akamai.com/2014/09/environment-bashing.html; default_proto:tcp; default_dst_port: $HTTP_PORT; classtype:attempted-admin; sid:5002206; rev:3;)
alert any any any -> $HTTP_SERVERS any (msg:"[APACHE] Possible CVE-2014-6271 Attempt in HTTP URLENCODE Generic 28"; content:"|29 29|%20{|20|"; program: apache|httpd; xbits: set, exploit_attempt, 86400; parse_src_ip: 1; fwsam: src, 1 day; reference:url,blogs.akamai.com/2014/09/environment-bashing.html; default_proto:tcp; default_dst_port: $HTTP_PORT; classtype:attempted-admin; sid:5002207; rev:3;)
alert any any any -> $HTTP_SERVERS any (msg:"[APACHE] Possible CVE-2014-6271 Attempt in HTTP URLENCODE Generic 29"; content:"|28 29|%20%7b|20|"; program: apache|httpd; xbits: set, exploit_attempt, 86400; parse_src_ip: 1; fwsam: src, 1 day; reference:url,blogs.akamai.com/2014/09/environment-bashing.html; default_proto:tcp; default_dst_port: $HTTP_PORT; classtype:attempted-admin; sid:5002208; rev:3;)
alert any any any -> $HTTP_SERVERS any (msg:"[APACHE] Possible CVE-2014-6271 Attempt in HTTP URLENCODE Generic 30"; content:"|28 29|%20%7b%20"; program: apache|httpd; xbits: set, exploit_attempt, 86400; parse_src_ip: 1; fwsam: src, 1 day; reference:url,blogs.akamai.com/2014/09/environment-bashing.html; default_proto:tcp; default_dst_port: $HTTP_PORT; classtype:attempted-admin; sid:5002209; rev:3;)
alert any any any -> $HTTP_SERVERS any (msg:"[APACHE] CVE-2014-6271 Attempt In HTTP Headers Line Continuation Evasion LF"; content:"|28 29 0a 20 7b|"; program: apache|httpd; xbits: set, exploit_attempt, 86400; parse_src_ip: 1; fwsam: src, 1 day; reference:url,www.invisiblethreat.ca/2014/09/cve-2014-6271/; default_proto:tcp; default_dst_port: $HTTP_PORT; classtype:attempted-admin; sid:5002210; rev:3;)
alert any any any -> $HTTP_SERVERS any (msg:"[APACHE] CVE-2014-6271 Attempt In HTTP Headers Line Continuation Evasion CRLF"; content:"|28 29 0d 0a 20 7b|"; program: apache|httpd; xbits: set, exploit_attempt, 86400; parse_src_ip: 1; fwsam: src, 1 day; reference:url,www.invisiblethreat.ca/2014/09/cve-2014-6271/; default_proto:tcp; default_dst_port: $HTTP_PORT; classtype:attempted-admin; sid:5002211; rev:2;)