[Snort-sigs] Squid NTML Auth overflow sig

Matthew Jonkman matt at ...2436...
Fri Jul 2 09:55:01 EDT 2004

Aaron DeLashmutt pointed out that we missed his submission of this sig 
on the sigs list. Our apologies.

It's posted now at bleedingsnort.com. Here's the rule:

alert tcp any any -> $HOME_NET 3128 (msg:"BLEEDING-EDGE Squid NTLM Auth 
Overflow Exploit"; content:"|4141 414a 4351 6b4a 4351 6b4a 4351 6b4a|"; 
offset:96; classtype:misc-attack; flow:to_server; 
reference:cve,CAN-2004-0541; sid:2000342; rev:1;)

Thanks Aaron


More information about the Snort-sigs mailing list