[Snort-sigs] Quicktime Overflow Exploit Sig

SoloNet Newsfeed Processor newsfeed at ...1411...
Wed Apr 2 12:48:42 EST 2003


I've been having a few issues trying to figure out how to make sure that
the URI request length captured is the same (or greater) than the 400
bytes defined in Apple's recent security announcement. Granted this is
only my second real "sig" that I've developed, but I was wondering if
somebody coudl comment on on it, and tell me how to get the syntax to
capture the right overflow attempt. I think I'm close, but I could be a
bit off too.

CVE Candidate ID:  CAN-2003-0168
APPLE-SA-2003-03-31 QuickTime Player for Windows

Apple's Security Announcement: (requires authorization)

My Sig:

alert tcp $HOME_NET any -> any any (msg:"WEB-CLIENT QuickTime Player
Buffer Overflow Attempt"; content: "User-Agent\: QuickTime"; nocase;
content: !"(qtver=6.1"; nocase; content: "os=Windows"; nocase;
flow:from_client,established; dsize: >400;classtype:attempted-admin;

Thanks in advance...

David A. Koran

More information about the Snort-sigs mailing list