[Snort-sigs] Avoidance of 2278.6 (WEB-MISC negative Content-Length attempt)

nnposter at ...592... nnposter at ...592...
Fri Jul 2 22:47:01 EDT 2004


Rule:  WEB-MISC negative Content-Length attempt

--
Sid: 2278

--

--
False Negatives:
Current version of the rule incorrectly assumes specific spacing.
As a result, an attacker can easily get around the signature.

See http://www.faqs.org/rfcs/rfc2045.html
See http://www.faqs.org/rfcs/rfc822.html


I am proposing to follow the header with "\s*" instead of "\s+":

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS 
(msg:"WEB-MISC negative Content-Length attempt"; 
flow:to_server,established; 
content:"Content-Length|3A|"; nocase; 
pcre:"/^Content-Length\x3a\s*-\d+/smi"; 
reference:bugtraq,9098; reference:bugtraq,9476; 
reference:bugtraq,9576; reference:cve,2004-0095; 
classtype:misc-attack; sid:2278; rev:7;)




More information about the Snort-sigs mailing list