[Snort-users] SID 1156
albertg at ...7909...
Sat Jan 11 07:02:05 EST 2003
That looks to me like the Chunked Encoding Apache Vulnerability. You can
check out the actual exploit code for it on packetstorm  and cert 
An official advisory (which is never useful). If this isn't it,
whoops... It's Way too early to be snorting anyway.
 - http://packetstorm.decepticons.org/0206-exploits/apache-nosejob.c
 - http://www.cert.org/advisories/CA-2002-17.html
PS: Don't cross posts on the various lists, I just noticed when I hit
"reply-all" that you sent both to snort-users and snort-sigs.... thanks!
"The secret to success is to start from scratch and keep on scratching.
From: snort-users-admin at lists.sourceforge.net
[mailto:snort-users-admin at lists.sourceforge.net] On Behalf Of Apurv
Sent: Friday, January 10, 2003 11:19 AM
To: snort-sigs at lists.sourceforge.net
Cc: snort-users at lists.sourceforge.net
Subject: [Snort-users] SID 1156
I got close to 40 alerts on this rule. It triggers if the content
2f2f2f2f2f2f2f2f and it's classified as an Apache DOS attempt. Does
know which vulnerability in Apache is this exploit for ?
More information about the Snort-users