[Snort-sigs] anyone have a snort sig for the apache-chunk exploit?

Chris Green cmg at ...435...
Thu Jun 20 04:14:01 EDT 2002


"Michael Scheidell" <scheidell at ...249...> writes:

> I tried, but seem I migh thave done something wrong
> (ps, for all those NOT at th techtarget security conference in Chicago, you
> missed your look at the sourcefire NS (network sensor) with a presentatin by
> Marty.
>
> Mine doesn't see to pick up anything. (patterned after tcpdump of nessus
> test)
>
> alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS \
>  (msg:"CUSTOM - Apache Chunking exploit"; \
>  content:"Transfer-Encoding\: chunked|0d0a0d0a|fffffff0|0d0a"; nocase; \
>  reference:cve,CAN-2002-0392; \
> reference:url,httpd.apache.org/info/security_bulletin_20020617.txt;)

To match that exact packet:

content:"Transfer-Encoding\: chunked|0d0a0d0a|fffffff0|0d0a|"; nocase;

;-)
-- 
Chris Green <cmg at ...435...>
Don't use a big word where a diminutive one will suffice.




More information about the Snort-sigs mailing list