web-attacks.rules

This is the snapshot of Snot Latest Rules

# Copyright 2001-2005 Sourcefire, Inc. All Rights Reserved
#
# This file may contain proprietary rules that were created, tested and
# certified by Sourcefire, Inc. (the "VRT Certified Rules") as well as
# rules that were created by Sourcefire and other third parties and
# distributed under the GNU General Public License (the "GPL Rules").  The
# VRT Certified Rules contained in this file are the property of
# Sourcefire, Inc. Copyright 2005 Sourcefire, Inc. All Rights Reserved.
# The GPL Rules created by Sourcefire, Inc. are the property of
# Sourcefire, Inc. Copyright 2002-2005 Sourcefire, Inc. All Rights
# Reserved.  All other GPL Rules are owned and copyrighted by their
# respective owners (please see www.snort.org/contributors for a list of
# owners and their respective copyrights).  In order to determine what
# rules are VRT Certified Rules or GPL Rules, please refer to the VRT
# Certified Rules License Agreement.
#
#
# $Id: web-attacks.rules,v 1.23 2005/05/16 22:18:17 mwatchinski Exp $
# ----------------
# WEB ATTACKS
# ----------------
# These signatures are going away.  They were based on generic signatures that
# would catch common commands issued to exploit form variable vulnerabilities, 
# but it is so trivial to evade these that it gives the user a false sense of
# security.
#
# plus, many of them were wrong.   uricontent:"ps%20" for example, since
# http_inspect takes care of decoding for us, that should really look like 
# "ps ".