[Snort-sigs] New adobe vulnerability

Matthew Jonkman matt at ...2436...
Wed Aug 18 23:10:05 EDT 2004


nnposter at ...592... wrote:
> 
> You have not considered the impact of http_inspect. Therefore you need 
> to look for "real" ASCII zero, not its encoding and do not forget 
> to toss in nocase and flow:
> 
> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS 
> (msg:"BLEEDING-EDGE Adobe Acrobat Reader Malicious URL Null Byte"; 
> flow:to_server,established; uricontent:".pdf|00|"; nocase;
> reference:cve,2004-0629; classtype:web-attack; sid:2002001; rev:???;)

Good advice, thanks. New version is posted.

Matt




More information about the Snort-sigs mailing list