Snort mailing list archives
Re: flow_depth and WMF exploit
From: Brian Caswell <bmc () snort org>
Date: Wed, 4 Jan 2006 11:38:25 -0500
On Jan 3, 2006, at 9:37 PM, Jason Haar wrote:
The interesting bit is that the HTTP response is filled with randomlygenerated data in the form of Cookies to fill the first 300-400 bytes of the response with junk... Gee - I wonder what they were trying to bypass...
The HTTP response includes at least 3072 bytes of custom headers, not cookies. The addition of custom headers evaded a few generations of bleeding rules, in addition to a number of other vendor's signatures for this vulnerability.
Brian ------------------------------------------------------- This SF.net email is sponsored by: Splunk Inc. Do you grep through log files for problems? Stop! Download the new AJAX search engine that makes searching your log files as easy as surfing the web. DOWNLOAD SPLUNK! http://ads.osdn.com/?ad_id=7637&alloc_id=16865&op=click _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Re: flow_depth and WMF exploit, (continued)
- Re: flow_depth and WMF exploit Matthew Watchinski (Jan 05)
- Re: flow_depth and WMF exploit Frank Knobbe (Jan 05)
- Re: flow_depth and WMF exploit Jason (Jan 05)
- Re: flow_depth and WMF exploit Frank Knobbe (Jan 05)
- Re: flow_depth and WMF exploit Jason (Jan 05)
- Re: flow_depth and WMF exploit Frank Knobbe (Jan 05)
- Re: flow_depth and WMF exploit Jason (Jan 05)
- Re: flow_depth and WMF exploit Jason Haar (Jan 05)
- Re: flow_depth and WMF exploit Matthew Watchinski (Jan 05)
- Re: flow_depth and WMF exploit Jason Haar (Jan 03)
- Re: flow_depth and WMF exploit Brian Caswell (Jan 04)
- Re: flow_depth and WMF exploit Tom Le (Jan 03)