Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Snort-Signatures
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

[Snort-sigs] false negative for SID 2386

from [Lutz Schildt] Network Security [Permanent Link]
Subject: [Snort-sigs] false negative for SID 2386
Date: Fri, 17 Jun 2005 15:54:30 +0200 
Hi there,
 
I recently found a few attempts to exploit that ASN.1 bug while going through a 
binary tcpdump-log using ethereal.
 
GET / HTTP/1.0
Host: a.b.c.d
Authorization: Negotiate YIIQegYGKwYBBQUCoIIQb [--cut--]
 
Snort doesn't report this one.
 
maybe the rule should be changed to
 
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS NTLM 
ASN.1 vulnerability scan attempt"; flow:to_server,established; 
content:"Authorization|3A| Negotiate YI"; reference:bugtraq,9633; 
reference:bugtraq,9635; reference:cve,2003-0818; reference:nessus,12052; 
reference:nessus,12055; reference:nessus,12065; classtype:attempted-dos; 
sid:2386; rev:8;)
 
as the Authorization only is the same upto here.
 
Kind regards
 
Lutz Schildt
[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
  • [Snort-sigs] false negative for SID 2386, Lutz Schildt <=
Previous by Date:  [Snort-sigs] Bleedingsnort.com Daily Update, bleeding
Next by Date:  [Snort-sigs] help in implementing react keyword, mukherji rakesh
Previous by Thread:  [Snort-sigs] sid: 2486 - false positive and false negatives, Fabio Panigatti
Next by Thread:  [Snort-sigs] help in implementing react keyword, mukherji rakesh
Indexes:  [Date] [Thread] [Top] [All Lists]