from the incidents list. has there been an "official" announcement yet? this just hit the snort-sigs list this afternoon: From: Brian <bmcat_private> Date: Tue Feb 26, 2002 04:02:22 US/Pacific Subject: [Snort-sigs] php overflow signatures Below are the initial signatures for the PHP overflow that is about to get a bunch of publication. Have fun and whatnot. Sourceforge's CVS server is broken, so these are not yet in CVS. alert tcp $EXTERNAL_NET any -> $HOME_NET 80 (msg:"EXPERIMENTAL php content-disposition memchr overlfow"; flags:A+; content:"Content-Disposition\:"; content:"name=\"|CC CC CC CC CC|"; classtype:web-application-attack; sid:1423; rev:1;) alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"EXPERIMENTAL SHELLCODE x86 EB OC NOOP"; content:"|EB 0C EB 0C EB 0C EB 0C EB 0C EB 0C EB 0C EB 0C|"; classtype:shellcode-detect; sid:1424; rev:1;) alert tcp $EXTERNAL_NET any -> $HOME_NET 80 (msg:"EXPERIMENTAL php content-disposition"; flags:A+; content:"Content-Disposition\:"; content:"form-data\;"; classtype:web-application-attack; sid:1425; rev:1;) -jon -- jonat_private || www.divisionbyzero.com gpg key: www.divisionbyzero.com/pubkey.asc think i have a virus?: www.divisionbyzero.com/pgp.html "You are in a twisty little maze of Sendmail rules, all confusing."
This archive was generated by hypermail 2b30 : Wed Feb 27 2002 - 17:28:29 PST