[Snort-sigs] FP on SID:2435 - with general comment

Jason Haar Jason.Haar at ...651...
Tue Apr 6 15:27:04 EDT 2004

"WEB-CLIENT Microsoft emf metafile access"

This just triggered here when someone went to download

GET /i.p.emfemal.gif

The ".emf" is there alright...

This must be a common problem. The rule matched on uricontent:".emf",
assuming that was the file extension.
What is really needed is some what of differentiating between
"filenames" within URIs and "full blown" URIs. You couldn't even do
".emf " as ".emf?xx=qq" would slip past such a rule... pcre could do it,
but this could be quite a common rule problem, so I wonder if there's
some more "correct" way of doing it?


Jason Haar
Information Security Manager, Trimble Navigation Ltd.
Phone: +64 3 9635 377 Fax: +64 3 9635 417
PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1

More information about the Snort-sigs mailing list