Snort mailing list archives
RE: IIS/5.0 Content-Length Bug signature.
From: "Ivan Hernandez Puga" <ivan.hernandez () globalsis com ar>
Date: Thu, 13 Dec 2001 14:30:29 -0300
Yes! That's what I needed. Thanks you ! Ivan Hernandez -----Original Message----- From: Chris Green [mailto:cmg () uab edu] Sent: Thursday, December 13, 2001 2:27 PM To: Ivan Hernandez Puga Cc: snort-users () lists sourceforge net Subject: Re: [Snort-users] IIS/5.0 Content-Length Bug signature. "Ivan Hernandez Puga" <ivan.hernandez () globalsis com ar> writes:
Hello. I need to create a signature that searches for a "GET" request with the Content-Length invalid header. I have taken the cmd.exe signature and touched it. Until now it works for me. alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 80 (msg:"WEB-IIS Content-Length Bug"; flags: A+; content:"Content-Length"; nocase; classtype:web-application-attack; sid:1002; rev:2;)
This will go off with lots of false alarms as Content-Length: is done on every POST: alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 80 \ (msg:"WEB-IIS Content-Length Bug"; flags: A+; \ content: !"POST "; depth: 5; nocase; \ content:"Content-Length"; nocase; \ classtype:web-application-attack; ) Is probably a bit closer to what we need although I haven't tested it -- Chris Green <cmg () uab edu> A watched process never cores. _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- IIS/5.0 Content-Length Bug signature. Ivan Hernandez Puga (Dec 13)
- Re: IIS/5.0 Content-Length Bug signature. Chris Green (Dec 13)
- Re: IIS/5.0 Content-Length Bug signature. Chris Green (Dec 13)
- <Possible follow-ups>
- RE: IIS/5.0 Content-Length Bug signature. Ivan Hernandez Puga (Dec 13)
- Re: IIS/5.0 Content-Length Bug signature. Chris Green (Dec 13)