Snort mailing list archives
Crusoe Researches offer new rule for detecting last Opera browser overflow
From: rmkml <rmkml () free fr>
Date: Sun, 7 Mar 2010 21:37:13 +0100 (CET)
Hi, Crusoe Researches offering a new rule for detecting last Opera browser overflow: http://www.Crusoe-Researches.com/en/httpoperacontentlengthreplyoverflow.txt remember to adjust the src/dst ips/ports variables! Credits: Crusoe Researches http://www.Crusoe-Researches.com contact () Crusoe-Researches com => Crusoe Researches have more than 4408 UNIQ 'snort' rules for Commercial Access (Contact me directly if you are interested) Crusoe Researches support Bro idps v1.5.1 project format (http://www.bro-ids.org/): signature sid-94408 { ip-proto == tcp src-port == http_ports event "WEB-CLIENT HTTP reply Content-Length overflow attempt" tcp-state established,responder payload /.*(^|\x0a)[Cc][Oo][Nn][Tt][Ee][Nn][Tt]\-[Ll][Ee][Nn][Gg][Tt][Hh]\:[^\n]{500}/ } Azwalaro new nidps open source project (WireShark based) http://www.Crusoe-Researches.com/azwalaro/ azwalaro () Crusoe-Researches com http matches "(?i)(^|\x0a)Content-Length\:[^\r\n]{500}" Happy Detect Regards Rmkml Crusoe-Researches.com ------------------------------------------------------------------------------ Download Intel® Parallel Studio Eval Try the new software tools for yourself. Speed compiling, find bugs proactively, and fine-tune applications for parallel performance. See why Intel Parallel Studio got high marks during beta. http://p.sf.net/sfu/intel-sw-dev _______________________________________________ Snort-sigs mailing list Snort-sigs () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-sigs
Current thread:
- Crusoe Researches offer new rule for detecting last Opera browser overflow rmkml (Mar 07)