[Snort-users] Broken rule set for 1.8.7
cpw at ...440...
Thu Jul 25 15:20:03 EDT 2002
contains a broken rule. It is possible that snort will core dump (depends
on the OS) if this rule exists (doesn't have to trigger).
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI bash access";flags:A+; uricontent:"/bash"; nocase; reference:cve,CAN-1999-0509; reference:url,www.cert.org/advisories/CA-1996-11.html; classtype:web-application-activity; classtype:web-application-activity; sid:885; rev:5;)
I'll leave it to the reader to figure out what is wrong with the rule.
More information about the Snort-users