FW: [Snort-sigs] php overflow signatures

["John Adair" <J.Adair () SempermedUSA com>]

This applies to the "who" "what" "where" "when" thread that has been
discussed this week.

- - -
Opinions expressed do not necessarily represent the views of my employer.

This message and any attachment are confidential and may be privileged or
otherwise protected from disclosure. If you are not the intended recipient,
please telephone, fax or e-mail to the sender without delay.  Return this
message or delete this message and any attachment from your system as per
our request. If you are not the intended recipient you must not copy this
message or attachments or disclose the contents to any other person.

-----Original Message-----
From: snort-sigs-admin () lists sourceforge net
[mailto:snort-sigs-admin () lists sourceforge net]On Behalf Of Brian
Sent: Tuesday, February 26, 2002 7:02 PM
To: snort-sigs () lists sourceforge net
Subject: [Snort-sigs] php overflow signatures


Below are the initial signatures for the PHP overflow that is about to
get a bunch of publication.  Have fun and whatnot.

Sourceforge's CVS server is broken, so these are not yet in CVS.

alert tcp $EXTERNAL_NET any -> $HOME_NET 80 (msg:"EXPERIMENTAL php
content-disposition memchr overlfow"; flags:A+;
content:"Content-Disposition\:"; content:"name=\"|CC CC CC CC CC|";
classtype:web-application-attack; sid:1423; rev:1;)

alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"EXPERIMENTAL SHELLCODE x86
EB OC NOOP"; content:"|EB 0C EB 0C EB 0C EB 0C EB 0C EB 0C EB 0C EB 0C|";
classtype:shellcode-detect; sid:1424; rev:1;)

alert tcp $EXTERNAL_NET any -> $HOME_NET 80 (msg:"EXPERIMENTAL php
content-disposition"; flags:A+; content:"Content-Disposition\:";
content:"form-data\;"; classtype:web-application-attack; sid:1425; rev:1;)

--
Brian Caswell
Snort Signature Guy


_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-sigs