MediumRealSecure Network, RealSecure Server Sensor, RealSecure Desktop Protector, BlackICE Agent for Server, BlackICE PC Protection, RealSecure Sentry, RealSecure Guard, Proventia Server IPS for Microsoft Windows technology, BlackICE Server Protection, Proventia Network IPS, Proventia Desktop, Proventia Server IPS for Linux technology, RealSecure Desktop Protector 3.6, Proventia Network MFS, Proventia Network IDS, Proventia-G 1.1 and earlier:
This signature detects an overflow in the HTTP Connection field.
Medium
RealSecure Network: 7.0, RealSecure Server Sensor: 7.0, RealSecure Desktop Protector: 3.6, BlackICE Agent for Server: 3.6, BlackICE PC Protection: 3.6.cbd, RealSecure Sentry: 3.6, RealSecure Guard: 3.6, Proventia Server IPS for Microsoft Windows technology: 1.0.914.0, BlackICE Server Protection: 3.6.cbd, Proventia Network IPS: 2.0, Proventia Desktop: 8.0.614.1, Proventia Server IPS for Linux technology: 1.0, RealSecure Desktop Protector 3.6: baseline, Proventia Network MFS: 1.0, Proventia Network IDS: A Series, Proventia-G 1.1 and earlier: G Series, RealSecure Desktop: baseline
Various vendors Any application, IETF HTTP/1.1
Unauthorized Access Attempt
An HTTP request containing a malformed "Connection" field could indicate a remote attacker's attempt to execute arbitrary commands on the system. A normal HTTP "Connection" field should look similar to "Connection: Keep Alive".
No remedy available as of February 2002.
ISS X-Force
HTTP "Connection" field buffer overflow
http://www.iss.net/security_center/static/8234.php