[Snort-sigs] new rule for detect http %00 (null byte)

rmkml rmkml at ...324...
Fri Jan 13 01:21:02 EST 2006


Hi,

please check and maybe add this new rule :

web-misc.rules:alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS 
(msg:"WEB-MISC %00 (null byte) attempt"; flow:to_server,established; content:"%00"; 
reference:cve,2000-0149; reference:bugtraq,977; classtype:web-application-attack; )

I added cve20000149 and bid977, because is first event found with %00.

Improve/comments are welcome.

Regards
Rmkml




More information about the Snort-sigs mailing list