Snort mailing list archives
Re: Rule 17494
From: waldo kitty <wkitty42 () windstream net>
Date: Fri, 01 Oct 2010 16:14:52 -0400
On 10/1/2010 15:08, Jefferson, Shawn wrote:
Anyone else notice this rule, 17494 triggering a lot today? Or is it just me… it’s an old vulnerability from 2006. alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"WEB-CLIENT Microsoft Internet Explorer Long URL Buffer Overflow attempt"; flow:established,to_server; urilen:>260; content:"GET"; http_method; content:"HTTP|2F|1|2E|1|0D 0A|"; metadata:service http; reference:bugtraq,19667; reference:cve,2006-3869; classtype:attempted-user; sid:17494; rev:1;)
please remember to include the GID (and revision)... AFAICT, this is either a GID:3 (SO rule) or it is one of the new ones not yet available to "registered" users... thank you ;) ------------------------------------------------------------------------------ Start uncovering the many advantages of virtual appliances and start using them to simplify application deployment and accelerate your shift to cloud computing. http://p.sf.net/sfu/novell-sfdev2dev _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Rule 17494 Jefferson, Shawn (Oct 01)
- Re: Rule 17494 Tomas Heredia (Oct 01)
- Re: Rule 17494 Joel Esler (Oct 01)
- Re: Rule 17494 Jeff Kell (Oct 01)
- Re: Rule 17494 waldo kitty (Oct 01)
- Re: Rule 17494 Jefferson, Shawn (Oct 01)
- Re: Rule 17494 JJC (Oct 01)
- Re: Rule 17494 waldo kitty (Oct 01)
- Re: Rule 17494 JJC (Oct 01)
- Re: Rule 17494 Tomas Heredia (Oct 01)
- Re: Rule 17494 infosec posts (Oct 01)
- Re: Rule 17494 Joel Esler (Oct 01)