[Snort-users] Broken rule set for 1.8.7

Phil Wood cpw at ...440...
Thu Jul 25 15:20:03 EDT 2002


Folks,

  http://www.snort.org/dl/signatures/snortrules.tar.gz

contains a broken rule.  It is possible that snort will core dump (depends
on the OS) if this rule exists (doesn't have to trigger).

rules/web-cgi.rules:

  alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI bash access";flags:A+; uricontent:"/bash"; nocase; reference:cve,CAN-1999-0509; reference:url,www.cert.org/advisories/CA-1996-11.html; classtype:web-application-activity; classtype:web-application-activity; sid:885;  rev:5;)

I'll leave it to the reader to figure out what is wrong with the rule.

Later,

Phil




More information about the Snort-users mailing list