[Snort-sigs] Avoidance of 1:1970:1 (WEB-IIS MDAC Content-Type overflow attempt)

nnposter at ...592... nnposter at ...592...
Wed Apr 28 11:15:24 EDT 2004


Rule:  WEB-IIS MDAC Content-Type overflow attempt

--
Sid: 1970

--
Summary:

--
Impact:

--
Detailed Information:

--
Affected Systems:

--
Attack Scenarios:

--
Ease of Attack:

--
False Positives:

--
False Negatives:
Current version of the rule incorrectly assumes a specific HTTP header
capitalization. As a result, an attacker can easily get around the
signature.

See http://www.w3.org/Protocols/rfc2616/rfc2616-sec4.html#sec4.2
--
Corrective Action:

--
Contributors:

-- 
Additional References:


I am proposing to follow content:"Content-Type\:" with "nocase":

alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS 
(msg:"WEB-IIS MDAC Content-Type overflow attempt";
flow:to_server,established; uricontent:"/msadcs.dll";
content:"Content-Type\:"; nocase; content:!"|0A|"; within:50;
reference:cve,CAN-2002-1142;
reference:url,www.foundstone.com/knowledge/randd-advisories-display.html?id=337;
classtype:web-application-attack; sid:1970; rev:2;)




More information about the Snort-sigs mailing list