[Snort-sigs] [Emerging-Sigs] Offer a new sig for detecting possible last PCRE overflow

Will Metcalf wmetcalf at ...3525...
Wed Mar 23 12:09:31 EDT 2016


Sorry for the long delay. I've been trying to figure out a way in which
this detection logic might be applicable, seems you would have to
DL/Compile/Evaluate an externally provided RE correct?

Regards,

Will

On Sat, Mar 19, 2016 at 2:39 PM, rmkml <rmkml at ...174...> wrote:

> Hi,
>
> The http://etplc.org project offer a new sig for detecting possible last
> PCRE overflow on @Snort community challenge and @EmergingThreats :
>
> alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT
> libPCRE before 8.39 or libPCRE2 before 10.22 possible workspace overflow
> attempt"; flow:from_server,established; file_data; content:"(*ACCEPT)";
> nocase; distance:0; reference:cve,2016-3191; reference:url,
> bugzilla.redhat.com/show_bug.cgi?id=1311503; classtype:misc-activity;
> sid:1; rev:1;)
>
> Don't forget check variables.
>
> It's only a example, few others possibility exist ;)
> (check example on reference link)
>
> Please send any comments.
>
> Regards
> @Rmkml
> _______________________________________________
> Emerging-sigs mailing list
> Emerging-sigs at ...3694...
> https://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
>
> Support Emerging Threats! Subscribe to Emerging Threats Pro
> http://www.emergingthreats.net
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-sigs/attachments/20160323/47173531/attachment.html>


More information about the Snort-sigs mailing list