[Snort-sigs] anyone have a snort sig for the apache-chunk exploit?

Imran William Smith iwsmith at ...500...
Wed Jun 19 20:09:02 EDT 2002


There was one added to the standard snort signatures download for 1.8 branch yesterday:

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC Transfer-Encoding\: chunked"; flags:A+;
content:"Transfer-Encoding\:"; nocase; content:"chunked"; nocase; classtype:web-application-attack; reference:bugtraq,4474;
reference:cve,CAN-2002-0079; reference:bugtraq,5033; reference:cve,CAN-2002-0392; sid:1807; rev:1;)

I can't confirm whether it works, I just monitor changes to the snort sigs.

I think the problem with your sig are the |'s.

--
Imran William Smith
Security Products Development
Mimos Bhd, Malaysia



----- Original Message -----
From: "Michael Scheidell" <scheidell at ...249...>
To: <snort-sigs at lists.sourceforge.net>
Sent: Thursday, June 20, 2002 10:43 AM
Subject: [Snort-sigs] anyone have a snort sig for the apache-chunk exploit?


| I tried, but seem I migh thave done something wrong
| (ps, for all those NOT at th techtarget security conference in Chicago, you
| missed your look at the sourcefire NS (network sensor) with a presentatin by
| Marty.
|
| Mine doesn't see to pick up anything. (patterned after tcpdump of nessus
| test)
|
| alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS \
|  (msg:"CUSTOM - Apache Chunking exploit"; \
|  content:"Transfer-Encoding\: chunked|0d0a0d0a|fffffff0|0d0a"; nocase; \
|  reference:cve,CAN-2002-0392; \
| reference:url,httpd.apache.org/info/security_bulletin_20020617.txt;)
|
| tcpdump of nessus test:
| 0x0000   4500 00ef f976 4000 4006 2a7d 0a01 010a        E....v at ...180...@.*}....
| 0x0010   0a01 010a 0eed 0050 7517 bd1b 314d 8a02        .......Pu...1M..
| 0x0020   8018 8218 c922 0000 0101 080a 097e 3286        .....".......~2.
| 0x0030   097e 3286 4745 5420 2f69 6e64 6578 2e68        .~2.GET./index.h
| 0x0040   746d 6c20 4854 5450 2f31 2e31 0d0a 486f        tml.HTTP/1.1..Ho
| 0x0050   7374 3a20 7363 616e 6e65 722e 7365 636e        st:.scanner.secn
| 0x0060   6170 2e6e 6574 0d0a 436f 6e74 656e 742d        ap.net..Content-
| 0x0070   5479 7065 3a20 6170 706c 6963 6174 696f        Type:.applicatio
| 0x0080   6e2f 782d 7777 772d 666f 726d 2d75 726c        n/x-www-form-url
| 0x0090   656e 636f 6465 640d 0a54 7261 6e73 6665        encoded..Transfe
| 0x00a0   722d 456e 636f 6469 6e67 3a20 6368 756e        r-Encoding:.chun
| 0x00b0   6b65 640d 0a0d 0a66 6666 6666 6666 300d        ked....fffffff0.
| 0x00c0   0a58 5858 5858 5858 5858 5858 5858 5858        .XXXXXXXXXXXXXXX
| 0x00d0   5858 5858 5858 5858 5858 5858 5858 5858        XXXXXXXXXXXXXXXX
| 0x00e0   5858 5858 5858 5858 5858 580d 0a0d 0a          XXXXXXXXXXX....
|
| Michael Scheidell
| SECNAP Network Security, LLC
| (561) 368-9561 scheidell at ...249...
| http://www.secnap.net
|
|
|
| -------------------------------------------------------
|                    Bringing you mounds of caffeinated joy
|                    >>>     http://thinkgeek.com/sf    <<<
|
| _______________________________________________
| Snort-sigs mailing list
| Snort-sigs at lists.sourceforge.net
| https://lists.sourceforge.net/lists/listinfo/snort-sigs
|





More information about the Snort-sigs mailing list