[Snort-sigs] php overflow signatures

Brian bmc at ...95...
Tue Feb 26 15:57:25 EST 2002

Below are the initial signatures for the PHP overflow that is about to
get a bunch of publication.  Have fun and whatnot.

Sourceforge's CVS server is broken, so these are not yet in CVS.

alert tcp $EXTERNAL_NET any -> $HOME_NET 80 (msg:"EXPERIMENTAL php content-disposition memchr overlfow"; flags:A+; content:"Content-Disposition\:"; content:"name=\"|CC CC CC CC CC|"; classtype:web-application-attack; sid:1423; rev:1;)

alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"EXPERIMENTAL SHELLCODE x86 EB OC NOOP"; content:"|EB 0C EB 0C EB 0C EB 0C EB 0C EB 0C EB 0C EB 0C|"; classtype:shellcode-detect; sid:1424; rev:1;)

alert tcp $EXTERNAL_NET any -> $HOME_NET 80 (msg:"EXPERIMENTAL php content-disposition"; flags:A+; content:"Content-Disposition\:"; content:"form-data\;"; classtype:web-application-attack; sid:1425; rev:1;)

Brian Caswell
Snort Signature Guy

More information about the Snort-sigs mailing list