[Snort-sigs] New rule for detect RSA WebAgent Redirect oveflow

rmkml rmkml at ...324...
Wed Oct 19 00:30:07 EDT 2005


Hi,

Please check and add this two new rule :

web-iis.rules:alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS 
(msg:"WEB-IIS RSA WebAgent Redirect Overflow attempt"; 
flow:to_server,established; uricontent:"/WebID/IISWebAgentIF.dll";
nocase; pcre:"/\x3fRedirect\x3f[^\s]{100,}/smi";
classtype:web-application-activity; )

web-iis.rules:alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS 
(msg:"WEB-IIS RSA WebAgent access"; flow:to_server,established; 
uricontent:"/WebID/IISWebAgentIF.dll"; nocase; reference:cve,2005-1118; 
reference:bugtraq,13168; classtype:web-application-activity; )

On first alert, I don't found cve/bid/nessus/osvdb num,
but rsa webagent dll security pb previously (second alert).

Regards
Rmkml




More information about the Snort-sigs mailing list