[Snort-sigs] new rule for detect ZeroDay winamp PlayList

rmkml rmkml at ...324...
Mon Jan 30 12:15:01 EST 2006


Hi,

please check and maybe add this new rule :

web-misc.rules:alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS 
(msg:"WEB-MISC Winamp PlayList buffer overflow attempt"; flow:to_server,established; 
content:"playlist"; nocase; content:"\\\\"; classtype:attempted-admin; )

more infos to :
  http://www.frsirt.com/english/advisories/2006/0361

Improve/comments are welcome.

This rule is offered by Crusoe Researches (Team)
http://www.crusoe-researches.com

Regards
Rmkml




More information about the Snort-sigs mailing list