Home page logo

snort logo Snort mailing list archives

Re: Rule 17494
From: waldo kitty <wkitty42 () windstream net>
Date: Fri, 01 Oct 2010 16:14:52 -0400

On 10/1/2010 15:08, Jefferson, Shawn wrote:
Anyone else notice this rule, 17494 triggering a lot today?  Or is it just me…
it’s an old vulnerability from 2006.

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"WEB-CLIENT Microsoft
Internet Explorer Long URL Buffer Overflow attempt"; flow:established,to_server;
urilen:>260; content:"GET"; http_method; content:"HTTP|2F|1|2E|1|0D 0A|";
metadata:service http; reference:bugtraq,19667; reference:cve,2006-3869;
classtype:attempted-user; sid:17494; rev:1;)

please remember to include the GID (and revision)... AFAICT, this is either a 
GID:3 (SO rule) or it is one of the new ones not yet available to "registered" 

thank you ;)

Start uncovering the many advantages of virtual appliances
and start using them to simplify application deployment and
accelerate your shift to cloud computing.
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
Snort-users list archive:

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]