Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Broken rule set for 1.8.7

From: Phil Wood <cpw () lanl gov>
Date: Thu, 25 Jul 2002 16:19:10 -0600


Folks,

  http://www.snort.org/dl/signatures/snortrules.tar.gz

contains a broken rule.  It is possible that snort will core dump (depends
on the OS) if this rule exists (doesn't have to trigger).

rules/web-cgi.rules:

  alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI bash access";flags:A+; uricontent:"/bash"; 
nocase; reference:cve,CAN-1999-0509; reference:url,www.cert.org/advisories/CA-1996-11.html; 
classtype:web-application-activity; classtype:web-application-activity; sid:885;  rev:5;)

I'll leave it to the reader to figure out what is wrong with the rule.

Later,

Phil


-------------------------------------------------------
This sf.net email is sponsored by: Jabber - The world's fastest growing 
real-time communications platform! Don't just IM. Build it in! 
http://www.jabber.com/osdn/xim
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: