Snort mailing list archives

Crusoe Researches offer new rule for detecting last Opera browser overflow

From: rmkml <rmkml () free fr>
Date: Sun, 7 Mar 2010 21:37:13 +0100 (CET)

Hi,

Crusoe Researches offering a new rule for detecting last Opera browser overflow:
  http://www.Crusoe-Researches.com/en/httpoperacontentlengthreplyoverflow.txt
remember to adjust the src/dst ips/ports variables!

Credits:
Crusoe Researches
http://www.Crusoe-Researches.com
contact () Crusoe-Researches com
=> Crusoe Researches have more than 4408 UNIQ 'snort' rules for Commercial Access
               (Contact me directly if you are interested)

Crusoe Researches support Bro idps v1.5.1 project format (http://www.bro-ids.org/):
  signature sid-94408 {
   ip-proto == tcp
   src-port == http_ports
   event "WEB-CLIENT HTTP reply Content-Length overflow attempt"
   tcp-state established,responder
   payload /.*(^|\x0a)[Cc][Oo][Nn][Tt][Ee][Nn][Tt]\-[Ll][Ee][Nn][Gg][Tt][Hh]\:[^\n]{500}/
   }

Azwalaro new nidps open source project (WireShark based)
    http://www.Crusoe-Researches.com/azwalaro/
    azwalaro () Crusoe-Researches com
http matches "(?i)(^|\x0a)Content-Length\:[^\r\n]{500}"

Happy Detect
Regards
Rmkml
Crusoe-Researches.com

------------------------------------------------------------------------------
Download Intel&#174; Parallel Studio Eval
Try the new software tools for yourself. Speed compiling, find bugs
proactively, and fine-tune applications for parallel performance.
See why Intel Parallel Studio got high marks during beta.
http://p.sf.net/sfu/intel-sw-dev
_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-sigs

Current thread:

Crusoe Researches offer new rule for detecting last Opera browser overflow rmkml (Mar 07)