You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
This script only appears to monitor for s2-045 exploits, not s2-046. Both are being identified as CVE-2017-5638. Here is a related write-up, and ET has released a snort signature here.
The text was updated successfully, but these errors were encountered:
Thanks for bringing this to attention. I searched time-machine data on my end and couldn't quite find a pcap to check against modified detection. Do you, by any chance, happen to have a pcap which captures s2-046 exploitation ?
I did pull snort pcre into the script but looks like tapping into HTTP-header event and checking for content-length > 2GB if server == /Apache/ seems like a reliable heuristic.
This script only appears to monitor for s2-045 exploits, not s2-046. Both are being identified as CVE-2017-5638. Here is a related write-up, and ET has released a snort signature here.
The text was updated successfully, but these errors were encountered: