[Snort-sigs] Re: Microsoft IIS .htr heap overflow

Steve Halligan giermo at ...22...
Fri Apr 12 11:36:42 EDT 2002

This rule actually only detects .htr access, not the overflow specifically.
It should proerly be titled WEB-IIS htr access.
The overflow signature would need to contain more info from the actual
nature of the exploit, which I haven't seen yet so I don't know what that
would be.

>I guessing this rule in web-iis.rules will pick up any .htr buffer
>web-iis.rules:alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 80
>(msg:"WEB-IIS Overflow-htr access";flags: A+; 
>uricontent:".htr"; nocase;
>classtype:web-application-attack; sid:987; rev:3;)

More information about the Snort-sigs mailing list