[Snort-users] SID 1156

Alberto Gonzalez albertg at ...7909...
Sat Jan 11 07:02:05 EST 2003

That looks to me like the Chunked Encoding Apache Vulnerability. You can
check out the actual exploit code for it on packetstorm [1] and cert [2]
An official advisory (which is never useful). If this isn't it,
whoops... It's Way too early to be snorting anyway.

	Alberto Gonzalez

[1] - http://packetstorm.decepticons.org/0206-exploits/apache-nosejob.c
[2] - http://www.cert.org/advisories/CA-2002-17.html

PS: Don't cross posts on the various lists, I just noticed when I hit
"reply-all" that you sent both to snort-users and snort-sigs.... thanks!

"The secret to success is to start from scratch and keep on scratching. 

-----Original Message-----
From: snort-users-admin at lists.sourceforge.net
[mailto:snort-users-admin at lists.sourceforge.net] On Behalf Of Apurv
Sent: Friday, January 10, 2003 11:19 AM
To: snort-sigs at lists.sourceforge.net
Cc: snort-users at lists.sourceforge.net
Subject: [Snort-users] SID 1156

I got close to 40 alerts on this rule. It triggers if the content
2f2f2f2f2f2f2f2f and it's classified as an Apache DOS attempt. Does
know which vulnerability in Apache is this exploit for ?


More information about the Snort-users mailing list