[Snort-sigs] Sig for MS03-051

Frank Knobbe frank at ...1978...
Thu Nov 13 14:08:13 EST 2003


hmrpf... I just tried the exploit against the sig and it doesn't fire
until the flow:to_server is removed. 

Following is working:

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS
(msg:"WEB-FRONTPAGE Chunked Transfer-Encoding Post";
uricontent:"/_vti_bin/_vti_aut/fp30reg.dll";
content:"Transfer-Encoding\:"; depth: 200; nocase; content:"chunked"; depth:
220; nocase; classtype:web-application-attack;
reference:url.www.microsoft.com/technet/security/bulletin/ms03-051.asp;
rev:1; sid:11111111111;)

But this one:

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS
(msg:"WEB-FRONTPAGE Chunked Transfer-Encoding Post";
flow:to_server,established; uricontent:"/_vti_bin/_vti_aut/fp30reg.dll";
content:"Transfer-Encoding\:"; depth: 200; nocase; content:"chunked"; depth:
220; nocase; classtype:web-application-attack;
reference:url.www.microsoft.com/technet/security/bulletin/ms03-051.asp;
rev:1; sid:11111111111;)

is not. What gives?

Frank

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 187 bytes
Desc: This is a digitally signed message part
URL: <https://lists.snort.org/pipermail/snort-sigs/attachments/20031113/36c6aa5f/attachment.sig>


More information about the Snort-sigs mailing list