[Snort-sigs] anyone have a snort sig for the apache-chunk exploit?

Michael Scheidell scheidell at ...249...
Wed Jun 19 19:46:02 EDT 2002


I tried, but seem I migh thave done something wrong
(ps, for all those NOT at th techtarget security conference in Chicago, you
missed your look at the sourcefire NS (network sensor) with a presentatin by
Marty.

Mine doesn't see to pick up anything. (patterned after tcpdump of nessus
test)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS \
 (msg:"CUSTOM - Apache Chunking exploit"; \
 content:"Transfer-Encoding\: chunked|0d0a0d0a|fffffff0|0d0a"; nocase; \
 reference:cve,CAN-2002-0392; \
reference:url,httpd.apache.org/info/security_bulletin_20020617.txt;)

tcpdump of nessus test:
0x0000   4500 00ef f976 4000 4006 2a7d 0a01 010a        E....v at ...180...@.*}....
0x0010   0a01 010a 0eed 0050 7517 bd1b 314d 8a02        .......Pu...1M..
0x0020   8018 8218 c922 0000 0101 080a 097e 3286        .....".......~2.
0x0030   097e 3286 4745 5420 2f69 6e64 6578 2e68        .~2.GET./index.h
0x0040   746d 6c20 4854 5450 2f31 2e31 0d0a 486f        tml.HTTP/1.1..Ho
0x0050   7374 3a20 7363 616e 6e65 722e 7365 636e        st:.scanner.secn
0x0060   6170 2e6e 6574 0d0a 436f 6e74 656e 742d        ap.net..Content-
0x0070   5479 7065 3a20 6170 706c 6963 6174 696f        Type:.applicatio
0x0080   6e2f 782d 7777 772d 666f 726d 2d75 726c        n/x-www-form-url
0x0090   656e 636f 6465 640d 0a54 7261 6e73 6665        encoded..Transfe
0x00a0   722d 456e 636f 6469 6e67 3a20 6368 756e        r-Encoding:.chun
0x00b0   6b65 640d 0a0d 0a66 6666 6666 6666 300d        ked....fffffff0.
0x00c0   0a58 5858 5858 5858 5858 5858 5858 5858        .XXXXXXXXXXXXXXX
0x00d0   5858 5858 5858 5858 5858 5858 5858 5858        XXXXXXXXXXXXXXXX
0x00e0   5858 5858 5858 5858 5858 580d 0a0d 0a          XXXXXXXXXXX....

Michael Scheidell
SECNAP Network Security, LLC
(561) 368-9561 scheidell at ...249...
http://www.secnap.net





More information about the Snort-sigs mailing list