EmergingThreats> Main Web>2002764 (2009-02-09, RickChisholm) EditAttach

alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET EXPLOIT WinProxy? Host port buffer overflow"; flow:established,to_server; content:"Host\:"; nocase; within:500; pcre:"/\nHost\:\s*((?!\s*https?\:|\s*ftp\:)|https?\:|ftp\:)[^\n\:]*\:[^\n]{7}/i"; reference:cve,2005-4085; reference:bugtraq,16147; classtype:bad-unknown; reference:url,doc.emergingthreats.net/bin/view/Main/2002764; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/EXPLOIT/EXPLOIT_WinProxy; sid:2002764; rev:5;)

Added 2009-02-07 22:00:26 UTC

FP - Cisco Soft Phone activity, see pcap.

-- RickChisholm - 09 Feb 2009

alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET EXPLOIT WinProxy? Host port buffer overflow"; flow:established,to_server; content:"Host\:"; nocase; within:500; pcre:"/\nHost\:\s*((?!\s*https?\:|\s*ftp\:)|https?\:|ftp\:)[^\n\:]*\:[^\n]{7}/i"; reference:cve,2005-4085; reference:bugtraq,16147; classtype:bad-unknown; reference:url,doc.emergingthreats.net/bin/view/Main/2002764; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/EXPLOIT/EXPLOIT_WinProxy; sid:2002764; rev:5;)

Added 2009-02-07 22:00:26 UTC

alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET EXPLOIT WinProxy? Host port buffer overflow"; flow:established,to_server; content:"Host\:"; nocase; within:500; pcre:"/\nHost\:\s*((?!\s*https?\:|\s*ftp\:)|https?\:|ftp\:)[^\n\:]*\:[^\n]{7}/i"; reference:cve,2005-4085; reference:bugtraq,16147; classtype:bad-unknown; sid:2002764; rev:4;)

Added 2008-01-25 10:56:38 UTC

alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET EXPLOIT WinProxy? Host port buffer overflow"; flow:established,to_server; content:"Host\:"; nocase; within:500; pcre:"/\nHost\:\s*((?!\s*https?\:|\s*ftp\:)|https?\:|ftp\:)[^\n\:]*\:[^\n]{7}/i"; reference:cve,2005-4085; reference:bugtraq,16147; classtype:bad-unknown; sid:2002764; rev:4;)

Added 2008-01-25 10:56:38 UTC

alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"BLEEDING-EDGE EXPLOIT WinProxy? Host port buffer overflow"; flow:established,to_server; content:"Host\:"; nocase; within:500; pcre:"/\nHost\:\s*((?!\s*https?\:|\s*ftp\:)|https?\:|ftp\:)[^\n\:]*\:[^\n]{7}/i"; reference:cve,2005-4085; reference:bugtraq,16147; classtype:bad-unknown; sid:2002764; rev:3; )

Added 2007-10-27 10:16:07 UTC

alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"BLEEDING-EDGE EXPLOIT WinProxy? Host port buffer overflow"; flow:established,to_server; content:"Host\:"; nocase; within:500; pcre:"/\nHost\:\s*((?!\s*https?\:|\s*ftp\:)|https?\:|ftp\:)[^\n\:]*\:[^\n]{7}/i"; reference:cve,2005-4085; reference:bugtraq,16147; classtype:bad-unknown; sid:2002764; rev:3; )

Added 2007-10-27 10:16:07 UTC

alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"BLEEDING-EDGE WEB MISC WinProxy? Host port buffer overflow"; flow:established,to_server; content:"Host\:"; nocase; within:500; pcre:"/\nHost\:\s*((?!\s*https?\:|\s*ftp\:)|https?\:|ftp\:)[^\n\:]*\:[^\n]{7}/i"; reference:cve,2005-4085; reference:bugtraq,16147; classtype:bad-unknown; sid:2002764; rev:3; )

Attachments Attachments
Topic attachments
I Attachment Action Size Date Who Comment
Unknown file formatpcap ET-WinProxy-Buf-Ovrflw-FP.pcap manage 0.3 K 2009-02-09 - 20:04 UnknownUser  
Edit | Attach | Print version | History: r2 < r1 | Backlinks | Raw View | WYSIWYG | More topic actions
Topic revision: r2 - 2009-02-09 - RickChisholm
 
This site is powered by the TWiki collaboration platform Powered by Perl This site is powered by the TWiki collaboration platformCopyright © Emerging Threats