[Snort-sigs] Offer sig for detect IISv6 WebDAV If header overflow

Tyler Montier tmontier at ...435...
Mon Mar 27 16:39:28 EDT 2017


rmkml,

Thanks for your submission. We will review the rule under our regular
testing process and get back to you when its finished.

Thanks,

Tyler Montier
Cisco Talos

On Mon, Mar 27, 2017 at 3:39 PM, rmkml <rmkml at ...4129...> wrote:

> Hello,
>
> First, thx edwardz246003 for sharing exploit,
>
> Please check sig for detecting IISv6 WebDAV If header overflow:
>
> alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"WEB-MISC IIS v6
> WebDAV ScStoragePathFromUrl overflow attempt"; flow:to_server,established;
> content:"PROPFIND"; nocase; http_method; content:"|0a|If|3a|"; nocase;
> http_raw_header; isdataat:1000,relative; content:!"|0A|"; http_raw_header;
> within:1000; reference:cve,2017-7269; reference:url,github.com/
> edwardz246003/IIS_exploit;
> classtype:web-application-attack; sid:1; rev:1;)
>
> Please check vars and send any comments.
>
> Best Regards
> @Rmkml
>
> ------------------------------------------------------------
> ------------------
> Check out the vibrant tech community on one of the world's most
> engaging tech sites, Slashdot.org! http://sdm.link/slashdot
> _______________________________________________
> Snort-sigs mailing list
> Snort-sigs at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/snort-sigs
>
> http://www.snort.org
>
> Please visit http://blog.snort.org for the latest news about Snort!
>
> Visit the Snort.org to subscribe to the official Snort ruleset, make sure
> to stay up to date to catch the most <a href="
> https://snort.org/downloads/#rule-downloads">emerging threats</a>!
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-sigs/attachments/20170327/760756f6/attachment.html>


More information about the Snort-sigs mailing list