[Snort-sigs] New adobe vulnerability

Frank Knobbe frank at ...1978...
Thu Aug 19 20:49:40 EDT 2004


On Thu, 2004-08-19 at 15:17, Joseph Gama wrote:
> My rule was posted the same day as this posting and it
> has no false positives:
> 
> [...]pcre:"/[\w]+\.pdf%00[\w-_\.!~*'"\(\)]+HTTP\/1\.1/Bi";[...]

Does your rule actually fire on the exploit?

If so, question to nnposter, does his rule (using |00|) fire on the
exploit?

I understand that the preprocessor will convert %00 into |00| within
matches using uricontent. But if Josephs rules works too, does that mean
that anything that is matched using pcre has not been run through
http_inspect?

How does the matching occur? All munged by http_inspect first, then
matched by uricontent and pcre? Or first pcre, then munging by
http_inspect, then uricontent?

Who is right and will alert on the exploit (tested)? pcre using %00 or
uricontent using |00| or both?

Regards,
Frank


BTW: I try to stay away from pcre due to the performance impact. Is that
fear unfounded these days (read, with newer versions of Snort)?

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 187 bytes
Desc: This is a digitally signed message part
URL: <https://lists.snort.org/pipermail/snort-sigs/attachments/20040819/9704a12c/attachment.sig>


More information about the Snort-sigs mailing list