initconf
commented
7 years ago Thanks for bringing this to attention. I searched time-machine data on my end and couldn't quite find a pcap to check against modified detection. Do you, by any chance, happen to have a pcap which captures s2-046 exploitation ?
I did pull snort pcre into the script but looks like tapping into HTTP-header event and checking for content-length > 2GB if server == /Apache/ seems like a reliable heuristic.
JonZeolla
This script only appears to monitor for s2-045 exploits, not s2-046. Both are being identified as CVE-2017-5638. Here is a related write-up, and ET has released a snort signature here.