[Snort-sigs] WEB-FRONTPAGE /_vti_bin/ access rule question to the community

Coen Bakkers, Monitored Security coen.bakkers at ...1134...
Wed May 26 11:23:09 EDT 2004


In light of my GCIA practical, I am doing a comparative study between Snort 2.0.x and Snort 2.1.3 RC1, I discovered that the WEB-FRONTPAGE /_vti_bin/ access
signature only triggers when the Metasploit Frontpage fp30reg.dll Chunked Encoding exploit is run against Snort 2.1.3RC1, Snort 2.0.x does not detect it although the rule seems to be the same, the rule group is activated as well. Settings seem to be the same in snort.conf.

Does anyone know why, i think it might have to do with some changes of the preprocessors, however I am not sure.

Thanks for your help,


Coen Bakkers
Security Analyst
Symantec, Berlin SOC
+49 1805 444 725

More information about the Snort-sigs mailing list