[Snort-sigs] Apache mod_rewrite off-by-one sig
jhart at ...288...
Mon Jul 31 21:09:30 EDT 2006
Based on what I've read surrounding this vulnerability (code, mailing
list postings, etc), I've come up with the following sig to help detect
any exploits if/when they arise.
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"Apache
mod_rewrite of-by-one ldap exploit"; flow:to_server,established;
content:"ldap\://"; nocase; reference:cve,2006-3747; sid:11111111112;
This signature should definitely use uricontent, but I couldn't get
it to work in the few minutes I spent on this. Even when it is tweaked
to work with uricontent, there will still be some false positives as
there are legitimate cases where ldap:// could be contained in the uri.
I suppose its better than nothing!
More information about the Snort-sigs