[Snort-sigs] Avoidance of 1:1970:1 (WEB-IIS MDAC Content-Type overflow attempt)

Brian bmc at ...95...
Tue Jul 6 08:02:01 EDT 2004


On Tue, Apr 27, 2004 at 01:38:43PM -0600, nnposter at ...592... wrote:
> I am proposing to follow content:"Content-Type\:" with "nocase":
> 
> alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS 
> (msg:"WEB-IIS MDAC Content-Type overflow attempt";
> flow:to_server,established; uricontent:"/msadcs.dll";
> content:"Content-Type\:"; nocase; content:!"|0A|"; within:50;
> reference:cve,CAN-2002-1142;
> reference:url,www.foundstone.com/knowledge/randd-advisories-display.html?id=337;
> classtype:web-application-attack; sid:1970; rev:2;)

Yep, plus an isdataat.

-b




More information about the Snort-sigs mailing list