Versions (2)
Version DetailsCurrent
Rev: 6 • Jan 23, 2012, 12:00 PMET WEB_SERVER LOIC Javascript DDoS Inbound
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_SERVER LOIC Javascript DDoS Inbound"; flow:established,to_server; threshold:type both, track by_src, count 5, seconds 60; http.method; content:"GET"; http.uri; content:"?id="; content:"&msg="; distance:13; within:5; pcre:"/\?id=[0-9]{13}&msg=[^&]+$/"; reference:url,isc.sans.org/diary/Javascript+DDoS+Tool+Analysis/12442; reference:url,www.wired.com/threatlevel/2012/01/anons-rickroll-botnet; classtype:attempted-dos; sid:2014140; rev:6; metadata:created_at 2012_01_23, signature_severity Major, updated_at 2020_04_23;)
Jan 23, 2012, 12:00 PM
Apr 23, 2020, 12:00 PM
Sep 21, 2024, 3:00 AM
May 30, 2025, 12:04 AM
rules/emerging-web_server.rules