Snort rules for JPEG buffer overrun vulnaerability

Status
Not open for further replies.

Darksat

Yellow Belt
For those of you running an intrusion detection system on your network you might find this usefull, it is a set of snort rules designed to detect and block corrupted incomming jpegs.
this should run with Snort and a wide range of other IDS apps.
Hope you find usefull,
Darksat


Code:
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEBCLIENT 
JPEG parser heap overflow attempt"; 
flow:from_server,established; 
content:"image/jp"; nocase; pcre:"/^Content 
Type\s*\x3a\s*image\x2fjpe?g.*\xFF\xD8.{2}.*\xFF[\xE1\xE2\xED\xFE]\x00[\x00\x01] 
/smi";
 
Status
Not open for further replies.
Top