Snort mailing list archives
RE: SID 1156
From: "Alberto Gonzalez" <albertg () cerebro wwjh net>
Date: Sat, 11 Jan 2003 10:05:17 -0800
That looks to me like the Chunked Encoding Apache Vulnerability. You can check out the actual exploit code for it on packetstorm [1] and cert [2] has An official advisory (which is never useful). If this isn't it, whoops... It's Way too early to be snorting anyway. Cheers! Alberto Gonzalez [1] - http://packetstorm.decepticons.org/0206-exploits/apache-nosejob.c [2] - http://www.cert.org/advisories/CA-2002-17.html PS: Don't cross posts on the various lists, I just noticed when I hit "reply-all" that you sent both to snort-users and snort-sigs.... thanks! -- "The secret to success is to start from scratch and keep on scratching. -----Original Message----- From: snort-users-admin () lists sourceforge net [mailto:snort-users-admin () lists sourceforge net] On Behalf Of Apurv Singh Sent: Friday, January 10, 2003 11:19 AM To: snort-sigs () lists sourceforge net Cc: snort-users () lists sourceforge net Subject: [Snort-users] SID 1156 I got close to 40 alerts on this rule. It triggers if the content matches 2f2f2f2f2f2f2f2f and it's classified as an Apache DOS attempt. Does anyone know which vulnerability in Apache is this exploit for ? Thanks. ------------------------------------------------------- This SF.NET email is sponsored by: SourceForge Enterprise Edition + IBM + LinuxWorld = Something 2 See! http://www.vasoftware.com _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- SID 1156 Apurv Singh (Jan 11)
- RE: SID 1156 Alberto Gonzalez (Jan 11)