[Snort-sigs] Squid NTML Auth overflow sig

Matthew Jonkman matt at ...2436...
Fri Jul 2 09:55:01 EDT 2004


Aaron DeLashmutt pointed out that we missed his submission of this sig 
on the sigs list. Our apologies.

It's posted now at bleedingsnort.com. Here's the rule:

alert tcp any any -> $HOME_NET 3128 (msg:"BLEEDING-EDGE Squid NTLM Auth 
Overflow Exploit"; content:"|4141 414a 4351 6b4a 4351 6b4a 4351 6b4a|"; 
offset:96; classtype:misc-attack; flow:to_server; 
reference:url,www.idefense.com/application/poi/display?id=107; 
reference:cve,CAN-2004-0541; sid:2000342; rev:1;)

Thanks Aaron

Matt




More information about the Snort-sigs mailing list