CVE-2002-0392
PUBLISHED
## Snort IDS/IPS Mitigation Rules (2 rules)
The following Emerging Threats Snort rules detect exploitation of this vulnerability:
### Rule 1: SID 2101808 (rev 7)
**GPL EXPLOIT apache chunked encoding memory corruption exploit attempt**
> **Note:** This rule is currently disabled in the Emerging Threats ruleset.
```snort
#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"GPL EXPLOIT apache chunked encoding memory corruption exploit attempt"; flow:established,to_server; content:"|C0|PR|89 E1|PQRP|B8 3B 00 00 00 CD 80|"; reference:bugtraq,5033; reference:cve,2002-0392; classtype:web-application-activity; sid:2101808; rev:7; metadata:created_at 2010_09_23, confidence Medium, signature_severity Major, updated_at 2011_05_17;)
```
---
### Rule 2: SID 2101809 (rev 11)
**GPL WEB_SERVER Apache Chunked-Encoding worm attempt**
> **Note:** This rule is currently disabled in the Emerging Threats ruleset.
```snort
#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"GPL WEB_SERVER Apache Chunked-Encoding worm attempt"; flow:to_server,established; content:"CCCCCCC|3A| AAAAAAAAAAAAAAAAAAA"; fast_pattern:only; nocase; reference:bugtraq,4474; reference:bugtraq,4485; reference:bugtraq,5033; reference:cve,2002-0071; reference:cve,2002-0079; reference:cve,2002-0392; classtype:web-application-attack; sid:2101809; rev:11; metadata:created_at 2010_09_23, signature_severity Unknown, updated_at 2011_05_17;)
```
### Implementation Steps
1. Deploy these rules to your Snort/Suricata IDS/IPS sensors
2. Ensure all rules are enabled in your sensor configuration
3. Monitor for alerts matching the above SIDs
4. For IPS mode, consider changing action from `alert` to `drop`
EPSS 55.69% · 98.1th percentile
