Snort mailing list archives
Re: IIS/5.0 Content-Length Bug signature.
From: Chris Green <cmg () uab edu>
Date: Thu, 13 Dec 2001 11:27:07 -0600
"Ivan Hernandez Puga" <ivan.hernandez () globalsis com ar> writes:
Hello. I need to create a signature that searches for a "GET" request with the Content-Length invalid header. I have taken the cmd.exe signature and touched it. Until now it works for me. alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 80 (msg:"WEB-IIS Content-Length Bug"; flags: A+; content:"Content-Length"; nocase; classtype:web-application-attack; sid:1002; rev:2;)
This will go off with lots of false alarms as Content-Length: is done on every POST: alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 80 \ (msg:"WEB-IIS Content-Length Bug"; flags: A+; \ content: !"POST "; depth: 5; nocase; \ content:"Content-Length"; nocase; \ classtype:web-application-attack; ) Is probably a bit closer to what we need although I haven't tested it -- Chris Green <cmg () uab edu> A watched process never cores. _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- IIS/5.0 Content-Length Bug signature. Ivan Hernandez Puga (Dec 13)
- Re: IIS/5.0 Content-Length Bug signature. Chris Green (Dec 13)
- Re: IIS/5.0 Content-Length Bug signature. Chris Green (Dec 13)
- <Possible follow-ups>
- RE: IIS/5.0 Content-Length Bug signature. Ivan Hernandez Puga (Dec 13)
- Re: IIS/5.0 Content-Length Bug signature. Chris Green (Dec 13)