[Snort-sigs] new rule for detect Microsoft Html Help Workshop Overflow

rmkml rmkml at ...324...
Sun Feb 12 08:44:01 EST 2006


Hi,

please check and maybe add this new rule :

web-client.rules:alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT HTML Help Workshop overflow attempt"; flow:to_clien
t,established; content:"|5B|OPTIONS|5D|"; nocase; content:"Compiled file|3D|"; nocase; pcre:"/^Compiled file\=[^\n]{40,}/
mi"; reference:cve,2006-0564; classtype:attempted-user; )

More information :
  http://www.frsirt.com/english/advisories/2006/0446

Improve/comments are welcome.

This rule is offered by Crusoe Researches (Team)
http://www.crusoe-researches.com

Regards
Rmkml




More information about the Snort-sigs mailing list