[Snort-sigs] Apache mod_rewrite off-by-one sig

Joel Esler joel.esler at ...435...
Mon Jul 31 21:12:52 EDT 2006


Jon,

Anyway you can provide a packet capture?  Or perhaps fill in an offset/depth for that content match at least?

J

On Mon, Jul 31, 2006 at 06:09:30PM -0700, Jon Hart sent me:
> Based on what I've read surrounding this vulnerability (code, mailing
> list postings, etc), I've come up with the following sig to help detect
> any exploits if/when they arise.
> 
> alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"Apache
> mod_rewrite of-by-one ldap exploit"; flow:to_server,established;
> content:"ldap\://"; nocase; reference:cve,2006-3747; sid:11111111112;
> rev: 1;)
> 
> This signature should definitely use uricontent, but I couldn't get
> it to work in the few minutes I spent on this.  Even when it is tweaked
> to work with uricontent, there will still be some false positives as
> there are legitimate cases where ldap:// could be contained in the uri.
> 
> I suppose its better than nothing!
> 
> Comments welcome,
> 
> 
> -jon
> 
> 
> -------------------------------------------------------------------------
> Take Surveys. Earn Cash. Influence the Future of IT
> Join SourceForge.net's Techsay panel and you'll get the chance to share your
> opinions on IT & business topics through brief surveys -- and earn cash
> http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV
> _______________________________________________
> Snort-sigs mailing list
> Snort-sigs at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/snort-sigs
> 
+---------------------------------------------------------------------+
Joel Esler          Senior Security Consultant         1-706-627-2101
Sourcefire    Security for the /Real/ World -- http://www.sourcefire.com
       Snort - Open Source Network IPS/IDS -- http://www.snort.org
         GPG Key: http://demo.sourcefire.com/jesler.pgp.key
           AIM:eslerjoel  YMSG:eslerjoel Gtalk:eslerj
+---------------------------------------------------------------------+
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 186 bytes
Desc: not available
URL: <https://lists.snort.org/pipermail/snort-sigs/attachments/20060731/e3b6e721/attachment.sig>


More information about the Snort-sigs mailing list