[Snort-sigs] [1:971:1] incorrect classtype

Jörgen Persson jpn at ...83...
Wed Aug 22 04:14:16 EDT 2001

On Tue, Aug 21, 2001 at 11:16:26PM -0400, Brian Caswell wrote:
> Jörgen Persson wrote:
> > 
> > [1:971:1] states the classtype attempted-recon. According to the
> > references[1] attemted-admin seems more correct.
> I disagree. 
> This is for the .printer attempt.  Its just .printer in a url.  Looking
> for .printer can be bad... but its just recon.  If you  included a dsize
> (looking for an overflow) then you can say that is an admin attempt.

True, as the rule is written it's only a recon. Still it's CAN
description tells me:

Buffer overflow in Internet Printing ISAPI extension in Windows 2000
allows remote attackers to gain root privileges via a long print request
that is passed to the extension through IIS 5.0.

Then pointing to that reference is wrong.

Shouldn't there be a rule matching that specific buffer overrun?

Jörgen Persson

More information about the Snort-sigs mailing list