[Snort-sigs] false negative for SID 2386
schildt at ...2172...
Mon Jun 27 06:11:33 EDT 2005
I recently found a few attempts to exploit that ASN.1 bug while going through a binary tcpdump-log using ethereal.
GET / HTTP/1.0
Authorization: Negotiate YIIQegYGKwYBBQUCoIIQb [--cut--]
Snort doesn't report this one.
maybe the rule should be changed to
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS NTLM ASN.1 vulnerability scan attempt"; flow:to_server,established; content:"Authorization|3A| Negotiate YI"; reference:bugtraq,9633; reference:bugtraq,9635; reference:cve,2003-0818; reference:nessus,12052; reference:nessus,12055; reference:nessus,12065; classtype:attempted-dos; sid:2386; rev:8;)
as the Authorization only is the same upto here.
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Snort-sigs