MediumRealSecure Network, RealSecure Desktop Protector, RealSecure Server Sensor, BlackICE Server Protection, BlackICE PC Protection, BlackICE Agent for Server, RealSecure Sentry, RealSecure Guard, IBM Security Server Protection for Windows, Proventia Network MFS, Proventia Desktop, Proventia-G 1.1 and earlier, Proventia Network IDS, Proventia Server IPS for Linux technology, Proventia Network IPS, RealSecure Desktop Protector 3.6, Virtual Server Protection for Vmware:
This signature detects an overflow in the HTTP Connection field.
Medium
RealSecure Network: 7.0, RealSecure Desktop Protector: 3.6, RealSecure Server Sensor: 7.0, BlackICE Server Protection: 3.6.cbd, BlackICE PC Protection: 3.6.cbd, BlackICE Agent for Server: 3.6, RealSecure Sentry: 3.6, RealSecure Guard: 3.6, IBM Security Server Protection for Windows: 1.0.914.0, IBM Security Server Protection for Windows: 2.1.14.2400, Proventia Network MFS: 1.0, Proventia Desktop: 8.0.614.1, Proventia-G 1.1 and earlier: G Series, Proventia Network IDS: A Series, RealSecure Desktop: baseline, Proventia Server IPS for Linux technology: 1.0, Proventia Network IPS: 2.0, RealSecure Desktop Protector 3.6: baseline, Virtual Server Protection for Vmware: 1.0
Various vendors Any application, IETF HTTP/1.1
Unauthorized Access Attempt
An HTTP request containing a malformed "Connection" field could indicate a remote attacker's attempt to execute arbitrary commands on the system. A normal HTTP "Connection" field should look similar to "Connection: Keep Alive".
No remedy available as of February 2002.
ISS X-Force
HTTP "Connection" field buffer overflow
http://www.iss.net/security_center/static/8234.php