[Snort-sigs] The content pattern of Rule SID: 19713 can be improved
rwang9 at ...2642...
Mon Jul 29 01:42:37 EDT 2013
I am doing a research to test Snort rules using Metasploit exploit scripts.
I find that the content pattern of the rule sid:19713 might be inaccurate
and can be improved. The rule is:
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-FIREFOX
Mozilla Array.reduceRight integer overflow"; flow:to_client,established;
file_data; content:"a.length=0xffffffff"; nocase;
content:"a.reduceRight|28|callback|2C|0|29|"; distance:0; nocase;
metadata:policy balanced-ips drop, policy security-ips drop, service http;
reference:bugtraq,48372; reference:cve,2011-2371; classtype:attempted-user;
I find that in its content patterns "a.length..." and "a.reduce...", "a" is
this attack), which can be freely chosen by attacker. In addition, I find
this rule cannot detect the Metasploit attack. The corresponding exploit is
If there is anyone who is familiar with this rule, please take a look, and
correct me if I am wrong.
Thank you very much! Have a nice day!
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Snort-sigs