Open JonZeolla opened 7 years ago
Thanks for bringing this to attention. I searched time-machine data on my end and couldn't quite find a pcap to check against modified detection. Do you, by any chance, happen to have a pcap which captures s2-046 exploitation ?
I did pull snort pcre into the script but looks like tapping into HTTP-header event and checking for content-length > 2GB if server == /Apache/ seems like a reliable heuristic.
I may have something, I'll take a look and report back.
I sent you an email with a pcap.
This script only appears to monitor for s2-045 exploits, not s2-046. Both are being identified as CVE-2017-5638. Here is a related write-up, and ET has released a snort signature here.