[Snort-sigs] [Emerging-Sigs] Offer a new sig for detecting possible last PCRE overflow
wmetcalf at ...3525...
Wed Mar 23 12:09:31 EDT 2016
Sorry for the long delay. I've been trying to figure out a way in which
this detection logic might be applicable, seems you would have to
DL/Compile/Evaluate an externally provided RE correct?
On Sat, Mar 19, 2016 at 2:39 PM, rmkml <rmkml at ...174...> wrote:
> The http://etplc.org project offer a new sig for detecting possible last
> PCRE overflow on @Snort community challenge and @EmergingThreats :
> alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT
> libPCRE before 8.39 or libPCRE2 before 10.22 possible workspace overflow
> attempt"; flow:from_server,established; file_data; content:"(*ACCEPT)";
> nocase; distance:0; reference:cve,2016-3191; reference:url,
> bugzilla.redhat.com/show_bug.cgi?id=1311503; classtype:misc-activity;
> sid:1; rev:1;)
> Don't forget check variables.
> It's only a example, few others possibility exist ;)
> (check example on reference link)
> Please send any comments.
> Emerging-sigs mailing list
> Emerging-sigs at ...3694...
> Support Emerging Threats! Subscribe to Emerging Threats Pro
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Snort-sigs