[Snort-sigs] New rule for detect ColdFusion view source with double encoding null byte

rmkml rmkml at ...324...
Wed Jan 10 10:06:59 EST 2007


Hi,

Please check and maybe add this new rule for detect ColdFusion view source with double encoding null byte :
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-COLDFUSION double encoding null byte .cfm view source attempt"; flow:to_server,established; uricontent:".cfm"; nocase; content:"%2500"; reference:cve,2006-5858; classtype:attempted-recon; sid:+1; rev:1;)

Credits:
Crusoe Researches
http://www.Crusoe-Researches.com
contact at ...3281...
CR have already created more than 1500 new rules ! (commercial access)

Best Regards
Rmkml





More information about the Snort-sigs mailing list