[Snort-sigs] Avoidance of 1260.10 (WEB-MISC long basic authorization string)

nnposter at ...592... nnposter at ...592...
Fri Jul 2 21:49:05 EDT 2004

Rule:  WEB-MISC long basic authorization string

Sid: 1260

False Negatives:
Current version of the rule incorrectly assumes specific spacing. 
As a result, an attacker can easily get around the signature.

See http://www.w3.org/Protocols/rfc2616/rfc2616-sec4.html#sec4.2
See http://www.ietf.org/rfc/rfc2617.txt

I am proposing to convert the authentication clause to PCRE:

(msg:"WEB-MISC long basic authorization string"; 
content:"Authorization|3A|"; nocase; 
pcre:"/^Authorization\x3a\s*Basic [^\n]{512}/smi"; 
reference:bugtraq,3230; reference:cve,2001-1067; 
classtype:attempted-dos; sid:1260; rev:11;)

More information about the Snort-sigs mailing list