[Snort-sigs] new rule for detect SIP UDP Softphone overflow attempt

rmkml rmkml at ...324...
Fri Jan 13 07:01:03 EST 2006


Hi,

please check and maybe add this new rule :

exploit.rules:
alert udp $EXTERNAL_NET any -> $HOME_NET 5060 (msg:"EXPLOIT SIP UDP Softphone overflow attempt"; content:"|3B|branch|3D|"; content:"a|3D|"; pcre:"/a\x3D[^\n]{1000,}/smi"; reference:bugtraq,16213; reference:cve,2006-0189; classtype:misc-attack; classtype:misc-attack; )

this rule detect a overflow 'a' param.

Improve/comments are welcome.

Regards
Rmkml




More information about the Snort-sigs mailing list