Intrusion detection systems that work at the application layer appear to be the next new wave of security products to hit the market. As with network IDSs, some of the products in the application security space work with signatures, while others are anomaly based. This presentation looks at typical patterns produced by some of the more common web application attacks—SQL injection, cross-site scripting, directory traversal, buffer overflows, etc. It discusses how these attacks can be matched using regular expression based signatures on the Snort IDS. However, the difficult part comes in trying to write signatures that cannot be easily evaded, while still keeping false positives at an acceptable level.