Snort mailing list archives
Broken rule set for 1.8.7
From: Phil Wood <cpw () lanl gov>
Date: Thu, 25 Jul 2002 16:19:10 -0600
Folks, http://www.snort.org/dl/signatures/snortrules.tar.gz contains a broken rule. It is possible that snort will core dump (depends on the OS) if this rule exists (doesn't have to trigger). rules/web-cgi.rules: alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI bash access";flags:A+; uricontent:"/bash"; nocase; reference:cve,CAN-1999-0509; reference:url,www.cert.org/advisories/CA-1996-11.html; classtype:web-application-activity; classtype:web-application-activity; sid:885; rev:5;) I'll leave it to the reader to figure out what is wrong with the rule. Later, Phil ------------------------------------------------------- This sf.net email is sponsored by: Jabber - The world's fastest growing real-time communications platform! Don't just IM. Build it in! http://www.jabber.com/osdn/xim _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Broken rule set for 1.8.7 Phil Wood (Jul 25)
- <Possible follow-ups>
- RE: Broken rule set for 1.8.7 McCammon, Keith (Jul 25)
- Re: Broken rule set for 1.8.7 Phil Wood (Jul 25)