Snort mailing list archives
Data required about an old exploit
From: ecmproute <ecmproute () gmail com>
Date: Wed, 1 Feb 2006 11:51:50 +0530
Hi, The rule with sid 1564: alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC login.htm access"; flow:to_server,established; uricontent:"/login.htm"; nocase; reference:bugtraq,665; reference:cve,1999-1533; classtype:web-application-activity; sid:1564; rev:6;) It is blocking even naive login.html pages. I have gone through the details provided by Snort.org site about this rule. I dont want to remove the rule altogether......but make it more accurate so that i stops only the attackes on Eicon Networks DIVA T/A ISDN Modem 2.0 Eicon Networks DIVA T/A ISDN Modem 1.0 Eicon Networks DIVA LAN ISDN Modem 1.0 Release 2.5. Was it a lenght-based (huge string supplied to HTTP server) exploit? Then is there anyway I can specify that when this kind of request is made, the max-length should not be more than say 40 characters? Can I get more info on this exploit? So that I can change the rule accordingly? Thanks in advance, ecmproute ------------------------------------------------------- This SF.net email is sponsored by: Splunk Inc. Do you grep through log files for problems? Stop! Download the new AJAX search engine that makes searching your log files as easy as surfing the web. DOWNLOAD SPLUNK! http://sel.as-us.falkag.net/sel?cmd=lnk&kid3432&bid#0486&dat1642 _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Data required about an old exploit ecmproute (Jan 31)