CVE-2002-0392

## Snort IDS/IPS Mitigation Rules (2 rules) The following Emerging Threats Snort rules detect exploitation of this vulnerability: ### Rule 1: SID 2101808 (rev 7) **GPL EXPLOIT apache chunked encoding memory corruption exploit attempt** > **Note:** This rule is currently disabled in the Emerging Threats ruleset. ```snort #alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"GPL EXPLOIT apache chunked encoding memory corruption exploit attempt"; flow:established,to_server; content:"|C0|PR|89 E1|PQRP|B8 3B 00 00 00 CD 80|"; reference:bugtraq,5033; reference:cve,2002-0392; classtype:web-application-activity; sid:2101808; rev:7; metadata:created_at 2010_09_23, confidence Medium, signature_severity Major, updated_at 2011_05_17;) ``` --- ### Rule 2: SID 2101809 (rev 11) **GPL WEB_SERVER Apache Chunked-Encoding worm attempt** > **Note:** This rule is currently disabled in the Emerging Threats ruleset. ```snort #alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"GPL WEB_SERVER Apache Chunked-Encoding worm attempt"; flow:to_server,established; content:"CCCCCCC|3A| AAAAAAAAAAAAAAAAAAA"; fast_pattern:only; nocase; reference:bugtraq,4474; reference:bugtraq,4485; reference:bugtraq,5033; reference:cve,2002-0071; reference:cve,2002-0079; reference:cve,2002-0392; classtype:web-application-attack; sid:2101809; rev:11; metadata:created_at 2010_09_23, signature_severity Unknown, updated_at 2011_05_17;) ``` ### Implementation Steps 1. Deploy these rules to your Snort/Suricata IDS/IPS sensors 2. Ensure all rules are enabled in your sensor configuration 3. Monitor for alerts matching the above SIDs 4. For IPS mode, consider changing action from `alert` to `drop`

EPSS 53.89% · 98.1th percentile