[Snort-sigs] CA CAM log_security overflow rule typo

Blake Hartstein bhartstein at ...274...
Wed Mar 1 14:11:04 EST 2006

I think this rule was meant to be content:!"|00|"; instead of 
content:!"00"; It should be detecting a null-byte and not double zeroes.

You can evade this rule by using 00 in your payload.

alert tcp $EXTERNAL_NET any -> $HOME_NET 4105 (msg:"EXPLOIT CA CAM 
log_security overflow attempt"; flow:to_server,established; content:"|FA 
F9 00 10|"; isdataat:1025; content:!"00"; within:1021; 
reference:bugtraq,14622; reference:cve,2005-2668; classtype:misc-attack; 
sid:5316; rev:1;)


This email and any files transmitted with it are solely intended for the use of the addressee(s) and may contain information that is confidential and privileged.  If you receive this email in error, please advise us by return email immediately. Please also disregard the contents of the email, delete it and destroy any copies immediately.  Demarc Security, Inc. does not accept liability for the views expressed in the email or for the consequences of any computer viruses that may be transmitted with this email.

This email is also subject to copyright. No part of it should be reproduced, adapted or transmitted without the written consent of the copyright owner.

More information about the Snort-sigs mailing list