[Snort-sigs] Sig for MS03-051
frank at ...1978...
Thu Nov 13 10:52:10 EST 2003
On Thu, 2003-11-13 at 12:24, Adams, Samuel (contractor) wrote:
> I would think you'd want to search for fp30reg.dll since it's
> less common than vti_bin or vti_aut - though I suppose the Transfer encoding
> and chunked content matches will take care of most false positives.
Since I didn't know what else could be overflowed in the vti_aut
section, I thought I leave it at the directory level. Any access in
there with chunked input is probably at risk.
> also consider adding depth measures to your content matches to speed them up
> (though if the
> uricontent is checked first - maybe this isn't necessary either). It appears
> that the
> Transfer-Encoding/chunked content shows up near the beginning of the
> Maybe something like depth: 100 and depth: 120 respectively?
> So the new sig might look like:
Good idea. I used one of the existing Frontpage or IIS to start from.
That didn't include depth, but I think it will aid to prevent FP's.
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS
(msg:"WEB-FRONTPAGE Chunked Transfer-Encoding Post";
content:"Transfer-Encoding\:"; depth: 100; nocase; content:"chunked"; depth:
I would probably increase the depth a bit to catch long host names in
any Host: field or other stuff. Perhaps 200?
> Do you have any other references for this? I looked around on google briefly
> didn't come up with much. security-assessment.com does not seem to mention
> it on their site either.
Not yet, but it is pretty new (released yesterday... well, at least the
fix from MS, not the notification to MS ;)
Thoughts on leaving "fp30reg.dll" off?
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 187 bytes
Desc: This is a digitally signed message part
More information about the Snort-sigs