[Snort-sigs] New adobe vulnerability
matt at ...2436...
Wed Aug 18 23:10:05 EDT 2004
nnposter at ...592... wrote:
> You have not considered the impact of http_inspect. Therefore you need
> to look for "real" ASCII zero, not its encoding and do not forget
> to toss in nocase and flow:
> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS
> (msg:"BLEEDING-EDGE Adobe Acrobat Reader Malicious URL Null Byte";
> flow:to_server,established; uricontent:".pdf|00|"; nocase;
> reference:cve,2004-0629; classtype:web-attack; sid:2002001; rev:???;)
Good advice, thanks. New version is posted.
More information about the Snort-sigs