FW: [Snort-sigs] php overflow signatures
From: John Adair (J.Adair@SempermedUSA.com)Date: 02/27/02
- Previous message: Jason Brvenik: "Comcast.net contact?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: "John Adair" <J.Adair@SempermedUSA.com> To: <vuln-dev@securityfocus.com> Date: Tue, 26 Feb 2002 19:17:29 -0500
This applies to the "who" "what" "where" "when" thread that has been
discussed this week.
- - -
Opinions expressed do not necessarily represent the views of my employer.
This message and any attachment are confidential and may be privileged or
otherwise protected from disclosure. If you are not the intended recipient,
please telephone, fax or e-mail to the sender without delay. Return this
message or delete this message and any attachment from your system as per
our request. If you are not the intended recipient you must not copy this
message or attachments or disclose the contents to any other person.
-----Original Message-----
From: snort-sigs-admin@lists.sourceforge.net
[mailto:snort-sigs-admin@lists.sourceforge.net]On Behalf Of Brian
Sent: Tuesday, February 26, 2002 7:02 PM
To: snort-sigs@lists.sourceforge.net
Subject: [Snort-sigs] php overflow signatures
Below are the initial signatures for the PHP overflow that is about to
get a bunch of publication. Have fun and whatnot.
Sourceforge's CVS server is broken, so these are not yet in CVS.
alert tcp $EXTERNAL_NET any -> $HOME_NET 80 (msg:"EXPERIMENTAL php
content-disposition memchr overlfow"; flags:A+;
content:"Content-Disposition\:"; content:"name=\"|CC CC CC CC CC|";
classtype:web-application-attack; sid:1423; rev:1;)
alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"EXPERIMENTAL SHELLCODE x86
EB OC NOOP"; content:"|EB 0C EB 0C EB 0C EB 0C EB 0C EB 0C EB 0C EB 0C|";
classtype:shellcode-detect; sid:1424; rev:1;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 80 (msg:"EXPERIMENTAL php
content-disposition"; flags:A+; content:"Content-Disposition\:";
content:"form-data\;"; classtype:web-application-attack; sid:1425; rev:1;)
-- Brian Caswell Snort Signature Guy_______________________________________________ Snort-sigs mailing list Snort-sigs@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/snort-sigs
- Previous message: Jason Brvenik: "Comcast.net contact?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
