[Snort-sigs] new rule for detect Buffer overflow in Watchfire AppScan

rmkml rmkml at ...324...
Thu Dec 15 15:44:16 EST 2005


please check and maybe add this new rule :

web-misc.rules:alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS 
(msg:"WEB-MISC 401 Authorization Required overflow attempt"; 
flow:to_server,established; content:"401 Authorization Required"; nocase; 
content:"Basic|20|realm|3D|"; nocase; pcre:"/[^$]{300}/smi"; 
reference:cve,2005-4270; reference:bugtraq,15873; )

"Buffer overflow in Watchfire AppScan QA 5.0.609 and 5.0.134 allows remote 
web servers to execute arbitrary code via an HTTP 401 response with a
WWW-Authenticate header containing a long Realm field."

Improve/comments are welcome.


More information about the Snort-sigs mailing list