Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Data required about an old exploit

From: ecmproute <ecmproute () gmail com>
Date: Wed, 1 Feb 2006 11:51:50 +0530
Hi,
The rule with sid 1564:
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC
login.htm access"; flow:to_server,established; uricontent:"/login.htm"; nocase;
reference:bugtraq,665; reference:cve,1999-1533;
classtype:web-application-activity; sid:1564; rev:6;)

It is blocking even naive login.html pages. I have gone through the
details provided by Snort.org site about this rule.

I dont want to remove the rule altogether......but make it more
accurate so that i stops only the attackes on  Eicon Networks DIVA T/A
ISDN Modem 2.0
Eicon Networks DIVA T/A ISDN Modem 1.0
Eicon Networks DIVA LAN ISDN Modem 1.0 Release 2.5.

Was it a lenght-based (huge string supplied to HTTP server) exploit?
Then is there anyway I can specify that when this kind of request is
made, the max-length should not be more than say 40 characters?
Can I get more info on this exploit? So that I can change the rule accordingly?

Thanks in advance,
ecmproute


-------------------------------------------------------
This SF.net email is sponsored by: Splunk Inc. Do you grep through log files
for problems?  Stop!  Download the new AJAX search engine that makes
searching your log files as easy as surfing the  web.  DOWNLOAD SPLUNK!
http://sel.as-us.falkag.net/sel?cmd=lnk&kid3432&bid#0486&dat1642
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: