[Snort-sigs] Avoidance of 2597.2 (WEB-MISC Samba SWAT Authorization overflow attempt)

nnposter at ...592... nnposter at ...592...
Wed Aug 4 13:39:31 EDT 2004

Rule:  WEB-MISC Samba SWAT Authorization overflow attempt

Sid: 2597

False Negatives:
Current version of the rule incorrectly assumes specific spacing. 
As a result, an attacker can easily get around the signature.

See http://www.w3.org/Protocols/rfc2616/rfc2616-sec4.html#sec4.2
See http://www.ietf.org/rfc/rfc2617.txt

I am proposing the following correction:

(msg:"WEB-MISC Samba SWAT Authorization overflow attempt"; 
flow:to_server,established; content:"Authorization|3a|"; nocase; 
reference:bugtraq,10780; classtype:web-application-attack; sid:2597; rev:3;)

More information about the Snort-sigs mailing list