Seeing Chuncked content

["james" <jamesh () cybermesa com>]

> From Earliest: 12:32:51.184478 on 07/04/2002 Latest: 12:37:20.390845 on
07/04/2002 I saw 4,718 matches to this rule, from one source IP. :

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS \
(msg: "Apache chunked encoding exploit, AAAAA padding"; flags: A+; \
content: "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA";)

[**] [1:0:0] Apache chunked encoding exploit, AAAAA padding [**]
07/04-12:32:51.184478 216.136.145.169:1748 -> a.b.c.d:80
TCP TTL:50 TOS:0x0 ID:12860 IpLen:20 DgmLen:1500 DF
***A**** Seq: 0x2C62C33B Ack: 0xF74A6090 Win: 0x4470 TcpLen: 20

Very few alerts (4 a day) prior to this,. Due to complex reasons the vendor
and sys admin
decided not to upgrade httpd on this box. When I logged in, a httpd process
was running at 99%, and had been for some time. This is a beefy,
multi-processor server so there was no DoS. Webserving continued as normal.
A restart of the httpd service restored normal operation.


James Edwards
jamesh () cybermesa com
At the Santa Fe Office: Internet at Cyber Mesa
Store hours: 9-6 Monday through Friday
Phone support 365 days till 10 pm via the Santa Fe office:
505-988-9200 or Toll Free: 888-988-2700




----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com