Snort mailing list archives

Previous By Date Next
Previous By Thread Next

RE: SID 1156

From: "Alberto Gonzalez" <albertg () cerebro wwjh net>
Date: Sat, 11 Jan 2003 10:05:17 -0800
That looks to me like the Chunked Encoding Apache Vulnerability. You can
check out the actual exploit code for it on packetstorm [1] and cert [2]
has
An official advisory (which is never useful). If this isn't it,
whoops... It's Way too early to be snorting anyway.

Cheers!
        Alberto Gonzalez

[1] - http://packetstorm.decepticons.org/0206-exploits/apache-nosejob.c
[2] - http://www.cert.org/advisories/CA-2002-17.html

PS: Don't cross posts on the various lists, I just noticed when I hit
"reply-all" that you sent both to snort-users and snort-sigs.... thanks!

--
"The secret to success is to start from scratch and keep on scratching. 


-----Original Message-----
From: snort-users-admin () lists sourceforge net
[mailto:snort-users-admin () lists sourceforge net] On Behalf Of Apurv
Singh
Sent: Friday, January 10, 2003 11:19 AM
To: snort-sigs () lists sourceforge net
Cc: snort-users () lists sourceforge net
Subject: [Snort-users] SID 1156

I got close to 40 alerts on this rule. It triggers if the content
matches
2f2f2f2f2f2f2f2f and it's classified as an Apache DOS attempt. Does
anyone
know which vulnerability in Apache is this exploit for ?

Thanks.





-------------------------------------------------------
This SF.NET email is sponsored by:
SourceForge Enterprise Edition + IBM + LinuxWorld = Something 2 See!
http://www.vasoftware.com
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: