Snort rules for JPEG buffer overrun vulnaerability

[Darksat]

For those of you running an intrusion detection system on your network you might find this usefull, it is a set of snort rules designed to detect and block corrupted incomming jpegs.
this should run with Snort and a wide range of other IDS apps.

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEBCLIENT 
JPEG parser heap overflow attempt"; 
flow:from_server,established; 
content:"image/jp"; nocase; pcre:"/^Content 
Type\s*\x3a\s*image\x2fjpe?g.*\xFF\xD8.{2}.*\xFF[\xE1\xE2\xED\xFE]\x00[\x00\x01] 
/smi";

 

[Paul_KY]

Thanks for the advice, Hacker, Privacy Invader, Future Inmate at your local Jail, etc.