Snort mailing list archives
RE: IIS/5.0 Content-Length Bug signature.
From: "Ivan Hernandez Puga" <ivan.hernandez () globalsis com ar>
Date: Thu, 13 Dec 2001 14:30:29 -0300
Yes! That's what I needed. Thanks you ! Ivan Hernandez -----Original Message----- From: Chris Green [mailto:cmg () uab edu] Sent: Thursday, December 13, 2001 2:27 PM To: Ivan Hernandez Puga Cc: snort-users () lists sourceforge net Subject: Re: [Snort-users] IIS/5.0 Content-Length Bug signature. "Ivan Hernandez Puga" <ivan.hernandez () globalsis com ar> writes:
Hello. I need to create a signature that searches for a "GET" request with the Content-Length invalid header. I have taken the cmd.exe signature and touched it. Until now it works for me. alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 80 (msg:"WEB-IIS Content-Length Bug"; flags: A+; content:"Content-Length"; nocase; classtype:web-application-attack; sid:1002; rev:2;)
This will go off with lots of false alarms as Content-Length: is done
on every POST:
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 80 \
(msg:"WEB-IIS Content-Length Bug"; flags: A+; \
content: !"POST "; depth: 5; nocase; \
content:"Content-Length"; nocase; \
classtype:web-application-attack; )
Is probably a bit closer to what we need although I haven't tested it
--
Chris Green <cmg () uab edu>
A watched process never cores.
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- IIS/5.0 Content-Length Bug signature. Ivan Hernandez Puga (Dec 13)
- Re: IIS/5.0 Content-Length Bug signature. Chris Green (Dec 13)
- Re: IIS/5.0 Content-Length Bug signature. Chris Green (Dec 13)
- <Possible follow-ups>
- RE: IIS/5.0 Content-Length Bug signature. Ivan Hernandez Puga (Dec 13)
- Re: IIS/5.0 Content-Length Bug signature. Chris Green (Dec 13)