[Snort-sigs] Avoidance of 2278.6 (WEB-MISC negative Content-Length attempt)

Brian bmc at ...95...
Tue Jul 6 08:04:00 EDT 2004


On Fri, Jul 02, 2004 at 11:45:00PM -0600, nnposter at ...592... wrote:
> I am proposing to follow the header with "\s*" instead of "\s+":
> 
> alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS 
> (msg:"WEB-MISC negative Content-Length attempt"; 
> flow:to_server,established; 
> content:"Content-Length|3A|"; nocase; 
> pcre:"/^Content-Length\x3a\s*-\d+/smi"; 
> reference:bugtraq,9098; reference:bugtraq,9476; 
> reference:bugtraq,9576; reference:cve,2004-0095; 
> classtype:misc-attack; sid:2278; rev:7;)

already had doen this :)

-b




More information about the Snort-sigs mailing list