[Snort-sigs] Apache mod_rewrite off-by-one sig

Jon Hart jhart at ...288...
Mon Jul 31 21:09:30 EDT 2006

Based on what I've read surrounding this vulnerability (code, mailing
list postings, etc), I've come up with the following sig to help detect
any exploits if/when they arise.

alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"Apache
mod_rewrite of-by-one ldap exploit"; flow:to_server,established;
content:"ldap\://"; nocase; reference:cve,2006-3747; sid:11111111112;
rev: 1;)

This signature should definitely use uricontent, but I couldn't get
it to work in the few minutes I spent on this.  Even when it is tweaked
to work with uricontent, there will still be some false positives as
there are legitimate cases where ldap:// could be contained in the uri.

I suppose its better than nothing!

Comments welcome,


More information about the Snort-sigs mailing list