[Snort-sigs] anyone have a snort sig for the apache-chunk exploit?
cmg at ...435...
Thu Jun 20 04:14:01 EDT 2002
"Michael Scheidell" <scheidell at ...249...> writes:
> I tried, but seem I migh thave done something wrong
> (ps, for all those NOT at th techtarget security conference in Chicago, you
> missed your look at the sourcefire NS (network sensor) with a presentatin by
> Mine doesn't see to pick up anything. (patterned after tcpdump of nessus
> alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS \
> (msg:"CUSTOM - Apache Chunking exploit"; \
> content:"Transfer-Encoding\: chunked|0d0a0d0a|fffffff0|0d0a"; nocase; \
> reference:cve,CAN-2002-0392; \
To match that exact packet:
content:"Transfer-Encoding\: chunked|0d0a0d0a|fffffff0|0d0a|"; nocase;
Chris Green <cmg at ...435...>
Don't use a big word where a diminutive one will suffice.
More information about the Snort-sigs