[Snort-sigs] libpng tRNS overflow signature

Joe Stewart jstewart at ...5...
Thu Aug 5 09:46:06 EDT 2004

Here's a signature to catch a malicious PNG from a webserver on port 80
attempting to overflow the libpng tRNS vulnerability (CAN-2004-0597) :

alert tcp $EXTERNAL_NET 80 -> $HOME_NET any (msg:"libpng tRNS overflow attempt"; content:"|89|PNG|0D 0A 1A 0A|"; content:!"PLTE"; content:"tRNS"; byte_test:4,>,256,-8,relative,big; flow:established,to_client; classtype:attempted-admin; reference:cve,CAN-2004-0597; sid:1000117; rev:2;)


Joe Stewart, GCIH 
Senior Security Researcher
LURHQ http://www.lurhq.com/

More information about the Snort-sigs mailing list