[Snort-sigs] New IIS Buffer Overrun rules

Kreimendahl, Chad J Chad.Kreimendahl at ...361...
Thu Jun 13 07:56:02 EDT 2002


alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTtp_PORTS (msg:"EXPERIMENTAL
WEB-IIS Buffer Overrun in HTTP header handling"; flags
: A+; content:"HTTP|2F|"; nocase; uricontent:".cdx"; nocase; content:"|3A|";
content:"|0A|"; content:"|00|"; reference:bugtraq,447
6; sid:1804; rev:1;)
 
not completely sure that case matters... but HTtp_PORTS supposed to be
HTTP_PORTS
 
Also, any plans to make the signature unique?  (possibly add the uricontent
part to it?  .cdx .asp....) 
 
Oh, and my favorite:  flags: A+ or flow: to_server,established ?
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-sigs/attachments/20020613/71e58642/attachment.html>


More information about the Snort-sigs mailing list