Snort Rules to Detect JPEG GDI+ Exploits

If you use Snort then you might want to make sure your rules are up to date to contain detection for the JPEG GDI+ vulnerability. If you don't have rules in place for such detection then here are three that you can add:

JPEG parser heap overflow attempt"; flow:from_server,established;
content:"image/jp"; nocase; pcre:"/^Content-Type\s*\x3a\s*image\x2fjpe?g.*\xFF\xD8.\{2\}.*\xFF\[\xE1\xE2\xED\xFE\]\x00\[\x00\x01\]/smi";reference:bugtraq,11173; reference:cve,CAN-2004-0200; reference:url,;
classtype:attempted-admin; sid:2705; rev:2;) 

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT JPEG transfer"; flow:from_server,established; content:"image/jp"; nocase; pcre:"/^Content-Type\s*\x3a\s*image\x2fjpe?g/smi"; flowbits:set,http.jpeg; flowbits:noalert; classtype:protocol-command-decode; sid:2706; rev:1;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT JPEG parser multipacket heap overflow"; flow:from_server,established; flowbits:isset,http.jpeg; content:"|FF|"; pcre:"/\xFF\[\xE1\xE2\xED\xFE\]\x00\[\x00\x01\]/"; reference:bugtraq,11173; reference:cve,CAN-2004-0200; reference:url,; classtype:attempted-admin; sid:2707; rev:1;)

Hide comments


  • Allowed HTML tags: <em> <strong> <blockquote> <br> <p>

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.