[Snort-sigs] [1:971:1] incorrect classtype
jpn at ...83...
Wed Aug 22 04:14:16 EDT 2001
On Tue, Aug 21, 2001 at 11:16:26PM -0400, Brian Caswell wrote:
> Jörgen Persson wrote:
> > [1:971:1] states the classtype attempted-recon. According to the
> > references attemted-admin seems more correct.
> I disagree.
> This is for the .printer attempt. Its just .printer in a url. Looking
> for .printer can be bad... but its just recon. If you included a dsize
> (looking for an overflow) then you can say that is an admin attempt.
True, as the rule is written it's only a recon. Still it's CAN
description tells me:
Buffer overflow in Internet Printing ISAPI extension in Windows 2000
allows remote attackers to gain root privileges via a long print request
that is passed to the extension through IIS 5.0.
Then pointing to that reference is wrong.
Shouldn't there be a rule matching that specific buffer overrun?
More information about the Snort-sigs