[Snort-sigs] new rule for detect Trend Micro ServerProtect isaNVWRequest.dll access

rmkml rmkml at ...324...
Thu Dec 15 00:50:03 EST 2005


Hi,

please check and maybe add this new rule :

web-misc.rules:alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS 
(msg:"WEB-MISC Trend Micro ServerProtect isaNVWRequest.dll access"; 
flow:to_server,established; content:"POST"; nocase; depth:4; 
uricontent:"/ControlManager/cgi-bin/VA/isaNVWRequest.dll"; nocase; reference:cve,2005-1929; 
reference:url,www.idefense.com/application/poi/display?id=353&type=vulnerabilities; 
classtype:web-application-attack; )

this rule is not the best, because not added "Transfer-Encoding: chunked".

Improve/comments are welcome.

Regards
Rmkml




More information about the Snort-sigs mailing list