[Snort-sigs] false negative for SID 2386

Lutz Schildt schildt at ...2172...
Mon Jun 27 06:11:33 EDT 2005

Hi there,
I recently found a few attempts to exploit that ASN.1 bug while going through a binary tcpdump-log using ethereal.
GET / HTTP/1.0
Host: a.b.c.d
Authorization: Negotiate YIIQegYGKwYBBQUCoIIQb [--cut--]
Snort doesn't report this one.
maybe the rule should be changed to
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS NTLM ASN.1 vulnerability scan attempt"; flow:to_server,established; content:"Authorization|3A| Negotiate YI"; reference:bugtraq,9633; reference:bugtraq,9635; reference:cve,2003-0818; reference:nessus,12052; reference:nessus,12055; reference:nessus,12065; classtype:attempted-dos; sid:2386; rev:8;)
as the Authorization only is the same upto here.
Kind regards
Lutz Schildt
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-sigs/attachments/20050627/fd7fde2b/attachment.html>

More information about the Snort-sigs mailing list