Re: [Emerging-Sigs] Offer a new sig for detecting possible last PCRE overflow

[Will Metcalf <wmetcalf () emergingthreatspro com>]

Sorry for the long delay. I've been trying to figure out a way in which
this detection logic might be applicable, seems you would have to
DL/Compile/Evaluate an externally provided RE correct?

Regards,

Will

On Sat, Mar 19, 2016 at 2:39 PM, rmkml <rmkml () yahoo fr> wrote:

> Hi,
>
> The http://etplc.org project offer a new sig for detecting possible last
> PCRE overflow on @Snort community challenge and @EmergingThreats :
>
> alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT
> libPCRE before 8.39 or libPCRE2 before 10.22 possible workspace overflow
> attempt"; flow:from_server,established; file_data; content:"(*ACCEPT)";
> nocase; distance:0; reference:cve,2016-3191; reference:url,
> bugzilla.redhat.com/show_bug.cgi?id=1311503; classtype:misc-activity;
> sid:1; rev:1;)
>
> Don't forget check variables.
>
> It's only a example, few others possibility exist ;)
> (check example on reference link)
>
> Please send any comments.
>
> Regards
> @Rmkml
> _______________________________________________
> Emerging-sigs mailing list
> Emerging-sigs () lists emergingthreats net
> https://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
>
> Support Emerging Threats! Subscribe to Emerging Threats Pro
> http://www.emergingthreats.net
------------------------------------------------------------------------------
Transform Data into Opportunity.
Accelerate data analysis in your applications with
Intel Data Analytics Acceleration Library.
Click to learn more.
http://pubads.g.doubleclick.net/gampad/clk?id=278785351&iu=/4140

_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-sigs
http://www.snort.org


Please visit http://blog.snort.org for the latest news about Snort!