Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Community Member

Is the a signature for the Apache 2.x Line feed memory leak DoS?

I am wanting to write a signature for it, but have no traffic with the exploit. If anyone can help? Thanx.

2 REPLIES
Bronze

Re: Is the a signature for the Apache 2.x Line feed memory leak

Below is a 3.1 signature screenshot of a signature for this vulnerability. It also can be modified for 4.0 sensors. This will be added to the upcoming S44 signature update. Before you ask, we should be releasing S43 in the next day or two.

--mtc

Tune Signature Parameters : CSIDS Signature Wizard

___________________________________________________________________________

Current Signature: Engine STRING.TCP SIGID 20001

SigName: Apache CR / LF DoS

___________________________________________________________________________

0 - Edit ALL Parameters

1 - AlarmInterval =

2 - AlarmThrottle = FireOnce

3 - ChokeThreshold =

4 - Direction = ToService

5 - FlipAddr =

6 - LimitSummary =

7 - MaxInspectLength =

8 - MinHits = 1

9 - MinMatchLength =

10 - MultipleHits =

11 * RegexString = (\x0D\x0A){25,}

12 - ResetAfterIdle = 15

13 - ServicePorts = 80,3128,8000,8010,8080,8888

14 - SigComment =

15 - SigName = Apache CR / LF DoS

16 - SigStringInfo =

17 - StripTelnetOptions =

18 - ThrottleInterval = 15

19 - WantFrag =

d - Delete a value

u - UNDO and continue

x - SAVE and continue

___________________________________________________________________________

Community Member

Re: Is the a signature for the Apache 2.x Line feed memory leak

Thanx

I was able to find the exploit come up with something similar.

104
Views
0
Helpful
2
Replies
CreatePlease to create content