Snort mailing list archives

Offer a new sig for detecting HttpOxy vulnerability

From: rmkml <rmkml () ligfy org>
Date: Mon, 18 Jul 2016 20:52:30 +0200 (CEST)

Hi,

The http://etplc.org open source project offer a new sig for detecting "HttpOxy" vulnerability:

alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"WEB-MISC HttpOxy vulnerability HTTP Proxy header attempt";
flow:to_server,established; content:"Proxy|3A|"; nocase; http_header; pcre:"/^Proxy\x3a/Hsmi"; 
reference:url,httpoxy.org;
reference:cve,2016-5385; reference:cve,2016-5386; reference:cve,2016-5387; 
reference:cve,2016-5388; reference:cve,2016-1000109;reference:cve,2016-1000110; 
reference:url,isc.sans.edu/forums/diary/HTTP+Proxy+Header+Vulnerability+httpoxy/21271/;
classtype:misc-attack; sid:1; rev:1;)

See reference for more information.

Don't forget check variables.

Please send any comments.

Regards
@Rmkml

------------------------------------------------------------------------------
What NetFlow Analyzer can do for you? Monitors network bandwidth and traffic
patterns at an interface-level. Reveals which users, apps, and protocols are 
consuming the most bandwidth. Provides multi-vendor support for NetFlow, 
J-Flow, sFlow and other flows. Make informed decisions using capacity planning
reports.http://sdm.link/zohodev2dev
_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-sigs
http://www.snort.org


Please visit http://blog.snort.org for the latest news about Snort!

Current thread:

Offer a new sig for detecting HttpOxy vulnerability rmkml (Jul 18)