Disclaimer

SNORTID
Enter a Snort ID to lookup (e.g 1:269)

"Snort" is a registered trademark of Sourcefire, Inc.

Site owned and maintained by Liam Somerville

©2009 SnortID.com - Developed by Cook Computing

Search String: 119:15

N.B.: Maximum of 50 results are displayed

SidSummaryImpact Detailed InformationAffected SystemsAttack ScenariosEase of AttackFalse PositiveFalse Negative Corrective ActionContributorsAdditional References
119:15 This event is generated when the pre-processor http_inspect detects network traffic that may constitute an attack. Unknown. This may indicate an attempt to evade an IDS or an attack on a web server. This event is generated when the http_inspect pre-processor detects a request for a URL that is longer than a specified length. This may indicate an attack or an attempt to evade an IDS. Lotus Domino Server Web servers are reported prone to a Denial of Service condition when a long request is made to the server using unicode characters. The http_inspect pre-processor will generate this event should a Domino server be attacked in this way. Specifically, when a request is made to /cgi-bin/ with approximately 330 unicode characters appended to the URL, the webserver will crash and a DoS condition will be evident. Stack-based buffer overflow in the map_uri_to_worker function (native/common/jk_uri_worker_map.c) in mod_jk.so for Apache Tomcat JK Web Server Connector 1.2.19 and 1.2.20, as used in Tomcat 4.1.34 and 5.5.20, allows remote attackers to execute arbitrary code via a long URL that triggers the overflow in a URI worker map routine. The maximum expected length of the URL is user configured. This event can be controlled using the ((http_inspect)) configuration options. All web servers Lotus Domino 6.5.1 and 6.0.3 An attacker may supply an over-long URI in an attempt to evade an IDS or in a possible attack against a web server. Simple. None Known. None Known. Check the target host for signs of compromise. Apply any appropriate vendor supplied patches. Upgrade to the latest non-affected version of the software. Daniel Roelker Sourcefire Vulnerability Research Team Nigel Houghton HTTP IDS Evasions Revisited - Daniel Roelker
http://docs.idsresearch.org/http_ids_evasions.pdf
iDefense:
http://www.idefense.com/application/poi/display?id=224&type=vulnerabilities
NIST:
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2007-0774