Snort mailing list archives
Re: [Emerging-Sigs] Offer a new sig for detecting possible last PCRE overflow
From: Will Metcalf <wmetcalf () emergingthreatspro com>
Date: Wed, 23 Mar 2016 11:09:31 -0500
Sorry for the long delay. I've been trying to figure out a way in which this detection logic might be applicable, seems you would have to DL/Compile/Evaluate an externally provided RE correct? Regards, Will On Sat, Mar 19, 2016 at 2:39 PM, rmkml <rmkml () yahoo fr> wrote:
Hi, The http://etplc.org project offer a new sig for detecting possible last PCRE overflow on @Snort community challenge and @EmergingThreats : alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT libPCRE before 8.39 or libPCRE2 before 10.22 possible workspace overflow attempt"; flow:from_server,established; file_data; content:"(*ACCEPT)"; nocase; distance:0; reference:cve,2016-3191; reference:url, bugzilla.redhat.com/show_bug.cgi?id=1311503; classtype:misc-activity; sid:1; rev:1;) Don't forget check variables. It's only a example, few others possibility exist ;) (check example on reference link) Please send any comments. Regards @Rmkml _______________________________________________ Emerging-sigs mailing list Emerging-sigs () lists emergingthreats net https://lists.emergingthreats.net/mailman/listinfo/emerging-sigs Support Emerging Threats! Subscribe to Emerging Threats Pro http://www.emergingthreats.net
------------------------------------------------------------------------------ Transform Data into Opportunity. Accelerate data analysis in your applications with Intel Data Analytics Acceleration Library. Click to learn more. http://pubads.g.doubleclick.net/gampad/clk?id=278785351&iu=/4140
_______________________________________________ Snort-sigs mailing list Snort-sigs () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-sigs http://www.snort.org Please visit http://blog.snort.org for the latest news about Snort!
Current thread:
- Re: [Emerging-Sigs] Offer a new sig for detecting possible last PCRE overflow Will Metcalf (Mar 23)