[Snort-sigs] CA CAM log_security overflow rule typo

Matthew Watchinski mwatchinski at ...435...
Wed Mar 1 14:50:05 EST 2006


Good catch, we'll get this fixed.

Cheers,
-matt

Blake Hartstein wrote:
> I think this rule was meant to be content:!"|00|"; instead of 
> content:!"00"; It should be detecting a null-byte and not double zeroes.
> 
> You can evade this rule by using 00 in your payload.
> 
> alert tcp $EXTERNAL_NET any -> $HOME_NET 4105 (msg:"EXPLOIT CA CAM 
> log_security overflow attempt"; flow:to_server,established; content:"|FA 
> F9 00 10|"; isdataat:1025; content:!"00"; within:1021; 
> reference:bugtraq,14622; reference:cve,2005-2668; classtype:misc-attack; 
> sid:5316; rev:1;)
> 
> Cheers,
> -Blake
> 





More information about the Snort-sigs mailing list