[Snort-sigs] SSDP/uPnP signature

Chris Green cmg at ...26...
Fri Jan 4 11:03:09 EST 2002


Brian <bmc at ...95...> writes:

>
> (if this triggers, please send me the packet :P)
>
> alert udp $EXTERNAL_NET any -> $HOME_NET 1900 (msg:"MISC UPNP
> malformed advertisement"; content:"NOTIFY * "; nocase; offset:0;
> depth:8; classtype:misc-attack; reference:cve,CAN-2001-0876;
> reference:cve,CAN-2001-0877; sid:1384; rev:1;)

This misses " NOTIFY * " because of the depth/offset.  Gotta love HTTP
:-)

-- 
Chris Green <cmg at ...26...>
 "Not everyone holds these truths to be self-evident, so we've worked
                  up a proof of them as Appendix A." --  Paul Prescod




More information about the Snort-sigs mailing list