[Snort-sigs] anyone have a snort sig for the apache-chunk exploit?

Michael Scheidell scheidell at ...249...
Thu Jun 20 05:11:09 EDT 2002


> >
> > alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS \
> >  (msg:"CUSTOM - Apache Chunking exploit"; \
> >  content:"Transfer-Encoding\: chunked|0d0a0d0a|fffffff0|0d0a"; nocase; \
> >  reference:cve,CAN-2002-0392; \
> > reference:url,httpd.apache.org/info/security_bulletin_20020617.txt;)
> 
> To match that exact packet:
> 
> content:"Transfer-Encoding\: chunked|0d0a0d0a|fffffff0|0d0a|"; nocase;

sorry, I dropped that last bar when I 'wrapped' the code.
(snort would die if I didn't have it in there)

-- 
Michael Scheidell
SECNAP Network Security, LLC
(561) 368-9561 scheidell at ...249...
http://www.secnap.net/





More information about the Snort-sigs mailing list