[Snort-sigs] WebDav exploits - individual signatures

Joe Stewart jstewart at ...5...
Tue May 13 12:37:02 EDT 2003

Here's an additional signature that detects initial KaHT probe. The shellcode
is the same as kralor, so KaHT exploit attempts will already be detected.

alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"EXPLOIT WebDav 
ntdll.dll (KaHT probe)"; flow: to_server; content:"|5573 6572 2d41 6765 6e74 
3a20 4b61 4854 0d0a|"; reference:cve,CAN-2003-0109; 
reference:url,www.lurhq.com/webdav.html; classtype:attempted-admin; 
sid:1000015; rev:1;)


Joe Stewart, GCIH 
Senior Intrusion Analyst
LURHQ Corporation

More information about the Snort-sigs mailing list