[Snort-sigs] CA CAM log_security overflow rule typo
mwatchinski at ...435...
Wed Mar 1 14:50:05 EST 2006
Good catch, we'll get this fixed.
Blake Hartstein wrote:
> I think this rule was meant to be content:!"|00|"; instead of
> content:!"00"; It should be detecting a null-byte and not double zeroes.
> You can evade this rule by using 00 in your payload.
> alert tcp $EXTERNAL_NET any -> $HOME_NET 4105 (msg:"EXPLOIT CA CAM
> log_security overflow attempt"; flow:to_server,established; content:"|FA
> F9 00 10|"; isdataat:1025; content:!"00"; within:1021;
> reference:bugtraq,14622; reference:cve,2005-2668; classtype:misc-attack;
> sid:5316; rev:1;)
More information about the Snort-sigs