[Snort-sigs] New rule for detect GFI MailSecurity Header Overflow

rmkml rmkml at ...324...
Sun Oct 16 11:33:00 EDT 2005


Hi,

Please check and add this two new rules :

web-iis.rules:alert tcp $EXTERNAL_NET any -> $HOME_NET 80 (msg:"EXPLOIT 
GFI MailSecurity Mgmt Host Overflow attempt"; flow:to_server,established; 
content:"Host"; nocase; pcre:"/^Host[^s]{100}/smi"; reference:bugtraq,15081; 
reference:osvdb,19926; classtype:attempted-admin; )

web-iis.rules:alert tcp $EXTERNAL_NET any -> $HOME_NET 80 (msg:"EXPLOIT 
GFI MailSecurity Mgmt Accept Overflow attempt"; flow:to_server,established;
content:"Accept"; nocase; pcre:"/^Accept[^s]{100}/smi"; reference:bugtraq,15081;
reference:osvdb,19926; classtype:attempted-admin; )

Im choosed web-iis.rules file because GFI MailSecurity product is running 
on win32 platform (on iis srv).

Regards
Rmkml




More information about the Snort-sigs mailing list