Snort mailing list archives
Re: Offer sig for detect IISv6 WebDAV If header overflow
From: Tyler Montier <tmontier () sourcefire com>
Date: Mon, 27 Mar 2017 16:39:28 -0400
rmkml, Thanks for your submission. We will review the rule under our regular testing process and get back to you when its finished. Thanks, Tyler Montier Cisco Talos On Mon, Mar 27, 2017 at 3:39 PM, rmkml <rmkml () ligfy org> wrote:
Hello, First, thx edwardz246003 for sharing exploit, Please check sig for detecting IISv6 WebDAV If header overflow: alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"WEB-MISC IIS v6 WebDAV ScStoragePathFromUrl overflow attempt"; flow:to_server,established; content:"PROPFIND"; nocase; http_method; content:"|0a|If|3a|"; nocase; http_raw_header; isdataat:1000,relative; content:!"|0A|"; http_raw_header; within:1000; reference:cve,2017-7269; reference:url,github.com/ edwardz246003/IIS_exploit; classtype:web-application-attack; sid:1; rev:1;) Please check vars and send any comments. Best Regards @Rmkml ------------------------------------------------------------ ------------------ Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot _______________________________________________ Snort-sigs mailing list Snort-sigs () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-sigs http://www.snort.org Please visit http://blog.snort.org for the latest news about Snort! Visit the Snort.org to subscribe to the official Snort ruleset, make sure to stay up to date to catch the most <a href=" https://snort.org/downloads/#rule-downloads">emerging threats</a>!
------------------------------------------------------------------------------ Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________ Snort-sigs mailing list Snort-sigs () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-sigs http://www.snort.org Please visit http://blog.snort.org for the latest news about Snort! Visit the Snort.org to subscribe to the official Snort ruleset, make sure to stay up to date to catch the most <a href=" https://snort.org/downloads/#rule-downloads">emerging threats</a>!
Current thread:
- Offer sig for detect IISv6 WebDAV If header overflow rmkml (Mar 27)
- Re: Offer sig for detect IISv6 WebDAV If header overflow Tyler Montier (Mar 27)