[Snort-sigs] Offer sig for detect IISv6 WebDAV If header overflow

rmkml rmkml at ...4129...
Mon Mar 27 15:39:33 EDT 2017


First, thx edwardz246003 for sharing exploit,

Please check sig for detecting IISv6 WebDAV If header overflow:

alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"WEB-MISC IIS v6 WebDAV ScStoragePathFromUrl overflow attempt"; flow:to_server,established;
content:"PROPFIND"; nocase; http_method; content:"|0a|If|3a|"; nocase; http_raw_header; isdataat:1000,relative; content:!"|0A|"; http_raw_header;
within:1000; reference:cve,2017-7269; reference:url,github.com/edwardz246003/IIS_exploit;
classtype:web-application-attack; sid:1; rev:1;)

Please check vars and send any comments.

Best Regards

More information about the Snort-sigs mailing list