Snort mailing list archives

Offer sig for detect IISv6 WebDAV If header overflow

From: rmkml <rmkml () ligfy org>
Date: Mon, 27 Mar 2017 21:39:33 +0200 (CEST)

Hello,

First, thx edwardz246003 for sharing exploit,

Please check sig for detecting IISv6 WebDAV If header overflow:

alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"WEB-MISC IIS v6 WebDAV ScStoragePathFromUrl overflow 
attempt"; flow:to_server,established;
content:"PROPFIND"; nocase; http_method; content:"|0a|If|3a|"; nocase; http_raw_header; isdataat:1000,relative; 
content:!"|0A|"; http_raw_header;
within:1000; reference:cve,2017-7269; reference:url,github.com/edwardz246003/IIS_exploit;
classtype:web-application-attack; sid:1; rev:1;)

Please check vars and send any comments.

Best Regards
@Rmkml

------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-sigs

http://www.snort.org

Please visit http://blog.snort.org for the latest news about Snort!

Visit the Snort.org to subscribe to the official Snort ruleset, make sure to stay up to date to catch the most <a 
href=" https://snort.org/downloads/#rule-downloads";>emerging threats</a>!

Current thread:

Offer sig for detect IISv6 WebDAV If header overflow rmkml (Mar 27)
- Re: Offer sig for detect IISv6 WebDAV If header overflow Tyler Montier (Mar 27)