[Snort-devel] Bad sigs in cvs

Kreimendahl, Chad J Chad.Kreimendahl at ...1167...
Wed Jun 19 05:16:02 EDT 2002


The following rules have no classtype... Possibly web-application-attack?

(sids 1801,1802,1803,1804)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"EXPERIMENTAL
WEB-IIS .asp HTTP header buffer overflow attempt";
flow:to_server,established; content:"HTTP|2F|"; nocase; uricontent:".asp";
nocase; content:"|3A|"; content:"|0A|"; content:"|00|";
reference:bugtraq,4476; sid:1801; rev:2;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"EXPERIMENTAL
WEB-IIS .asa HTTP header buffer overflow attempt";
flow:to_server,established; content:"HTTP|2F|"; nocase; uricontent:".asa";
nocase; content:"|3A|"; content:"|0A|"; content:"|00|";
reference:bugtraq,4476; sid:1802; rev:2;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"EXPERIMENTAL
WEB-IIS .cer HTTP header buffer overflow attempt";
flow:to_server,established; content:"HTTP|2F|"; nocase; uricontent:".cer";
nocase; content:"|3A|"; content:"|0A|"; content:"|00|";
reference:bugtraq,4476; sid:1803; rev:2;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"EXPERIMENTAL
WEB-IIS .cdx HTTP header buffer overflow attempt";
flow:to_server,established; content:"HTTP|2F|"; nocase; uricontent:".cdx";
nocase; content:"|3A|"; content:"|0A|"; content:"|00|";
reference:bugtraq,4476; sid:1804; rev:2;)




More information about the Snort-devel mailing list