Saturday, April 18, 2015

MS15-034 (CVE-2015-1635) - Snort Rule

MS15-034 is currently actively exploited in the wild. There are multiple blogs detailing the issue and providing POC's for the same. I've put together a very basic snort rule based on the blog from Didier Stevens.

alert tcp any any <> any any (msg:"MS Windows: CVE-2015-1635"; flow:to_server,established; pcre:"/^Range:\x20bytes[^\r\n]*18446744073709551615/smi"; classtype:attempted-dos; sid:12345; rev:1;)

Sample capture here.


  1. I added this rule but it doesn't seem to be firing when doing a simple wget request. Can you show the wget request to trigger this rule? Thanks!

  2. My bad, there was a minor bug in the direction of the rule. Fixed it. Try using the updated rule.

    wget --header "Range: bytes=1-18446744073709551615" http://host

    This wget should get the rule triggering.