RE: Undocumented SIDs

["Willy, Andrew" <AWilly () eSMIL net>]

I'm using the general signatures from Sourcefire.  I read that the exploit
can impact memory on the target device, DoS style, but other than an old
version of Apache I can't find out what is vulnerable. It seems like an
antiquated exploit but I'm concerned at how many we're suddenly receiving,
and from the variety of origins. 

Thank you,

Andrew


-----Original Message-----
From: Ron [mailto:iago () valhallalegends com]
Sent: Thursday, July 21, 2005 1:43 PM
To: Willy, Andrew
Subject: Re: [Snort-users] Undocumented SIDs


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

The Bleeding-Snort (www.bleedingsnort.org) triggers an incoming worm
attack rule for this.  If it's the same one I've been seeing, it's an
exploit versus IIS.  But the general signature doesn't say that, it just
detects a very long URI, which can mean anything.

Willy, Andrew wrote:
> List,
>
> Do any of you know off-hand a good place to get information on the alerts
> that aren't documented, such as OVERSIZE REQUEST-URI DIRECTORY, etc.  I
> Googled away and did not find anything comprehensive.  
>
> Thanks
>
> Andrew
NOTICE OF CONFIDENTIALITY-The information in this email, including
attachments, may be confidential and/or privileged and may contain
confidential health information. This email is intended to be reviewed only
by the individual or organization named as addressee. If you have received
this email in error please notify Scottsdale Medical Imaging, an affiliate
of Southwest Diagnostic Imaging, LTD immediately - by return message to the
sender or to support () esmil com - and destroy all copies of this message and
any attachments. Please note that any views or opinions presented in this
email are solely those of the author and do not necessarily represent those
of Scottsdale Medical Imaging. Confidential health information is protected
by state and federal law, including, but not limited to, the Health
Insurance Portability and Accountability Act of 1996 and related
regulations.


-------------------------------------------------------
SF.Net email is sponsored by: Discover Easy Linux Migration Strategies
from IBM. Find simple to follow Roadmaps, straightforward articles,
informative Webcasts and more! Get everything you need to get up to
speed, fast. http://ads.osdn.com/?ad_id=7477&alloc_id=16492&op=click
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users