This applies to the "who" "what" "where" "when" thread that has been discussed this week. - - - Opinions expressed do not necessarily represent the views of my employer. This message and any attachment are confidential and may be privileged or otherwise protected from disclosure. If you are not the intended recipient, please telephone, fax or e-mail to the sender without delay. Return this message or delete this message and any attachment from your system as per our request. If you are not the intended recipient you must not copy this message or attachments or disclose the contents to any other person. -----Original Message----- From: snort-sigs-adminat_private [mailto:snort-sigs-adminat_private]On Behalf Of Brian Sent: Tuesday, February 26, 2002 7:02 PM To: snort-sigsat_private Subject: [Snort-sigs] php overflow signatures Below are the initial signatures for the PHP overflow that is about to get a bunch of publication. Have fun and whatnot. Sourceforge's CVS server is broken, so these are not yet in CVS. alert tcp $EXTERNAL_NET any -> $HOME_NET 80 (msg:"EXPERIMENTAL php content-disposition memchr overlfow"; flags:A+; content:"Content-Disposition\:"; content:"name=\"|CC CC CC CC CC|"; classtype:web-application-attack; sid:1423; rev:1;) alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"EXPERIMENTAL SHELLCODE x86 EB OC NOOP"; content:"|EB 0C EB 0C EB 0C EB 0C EB 0C EB 0C EB 0C EB 0C|"; classtype:shellcode-detect; sid:1424; rev:1;) alert tcp $EXTERNAL_NET any -> $HOME_NET 80 (msg:"EXPERIMENTAL php content-disposition"; flags:A+; content:"Content-Disposition\:"; content:"form-data\;"; classtype:web-application-attack; sid:1425; rev:1;) -- Brian Caswell Snort Signature Guy _______________________________________________ Snort-sigs mailing list Snort-sigsat_private https://lists.sourceforge.net/lists/listinfo/snort-sigs
This archive was generated by hypermail 2b30 : Wed Feb 27 2002 - 18:59:03 PST