Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Snort-Signatures
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

[Snort-sigs] Possible Evasion in http_inspect

from [Jennifer Steffens] Network Security [Permanent Link]
Subject: [Snort-sigs] Possible Evasion in http_inspect
Date: Wed, 31 May 2006 18:28:27 -0400 
Sourcefire is aware of a possible Snort evasion that exists in the
http_inspect preprocessor.  This evasion case only applies to protected
Apache web servers. We have prepared fixes for both the 2.4 and 2.6
branches and will have fully tested releases, including binaries,
available for both on Monday, June 5th.


Evasion Details:

The Apache web server supports special characters in HTTP requests that
do not affect the processing of the particular request.  The current
target-based profiles for Apache in the http_inspect preprocessor do not
properly handle these requests, resulting in the possibility that an
attacker can bypass detection of rules that use the "uricontent" keyword
by embedding special characters in a HTTP request.


Background Information:

It is important to note that this is an evasion and not a vulnerability.
This means that while it is possible for an attacker to bypass
detection, Snort sensors and the networks they protect are not at a
heightened risk of other attacks.


Timeline:

Sourcefire has prepared fixes and is currently finalizing a complete
round of testing to ensure that the fixes not only solve the issue at
hand but do not create new bugs as well. The following releases,
including binaries for Linux and Windows deployments, will be available
on Monday, June 5th:

* Snort v2.4.5
* Snort v2.6.0 final


Questions:

Any questions regarding these releases can be sent to
snort-team@sourcefire.com.

Thanks,
Jennifer


-- 
Jennifer S. Steffens
Director, Product Management - Snort
Sourcefire - Security for the Real World
W: 410.423.1930 | C: 202.409.7707
www.sourcefire.com | www.snort.org




-------------------------------------------------------
All the advantages of Linux Managed Hosting--Without the Cost and Risk!
Fully trained technicians. The highest number of Red Hat certifications in
the hosting industry. Fanatical Support. Click to learn more
http://sel.as-us.falkag.net/sel?cmd=lnk&kid=107521&bid=248729&dat=121642
_______________________________________________
Snort-sigs mailing list
Snort-sigs@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/snort-sigs
[More messages with this same subject...]




<Prev in Thread] Current Thread [Next in Thread>
  • [Snort-sigs] Possible Evasion in http_inspect, Jennifer Steffens <=
Previous by Date:  Re: [Snort-sigs] Bug report - Telnet negotiation based FTP signature evasion, Steven Sturges
Previous by Thread:  [Snort-sigs] Ginwin improvments?, Ureleet Ureleet
Indexes:  [Date] [Thread] [Top] [All Lists]