[Snort-sigs] New adobe vulnerability

Frank Knobbe frank at ...1978...
Thu Aug 19 20:49:40 EDT 2004

On Thu, 2004-08-19 at 15:17, Joseph Gama wrote:
> My rule was posted the same day as this posting and it
> has no false positives:
> [...]pcre:"/[\w]+\.pdf%00[\w-_\.!~*'"\(\)]+HTTP\/1\.1/Bi";[...]

Does your rule actually fire on the exploit?

If so, question to nnposter, does his rule (using |00|) fire on the

I understand that the preprocessor will convert %00 into |00| within
matches using uricontent. But if Josephs rules works too, does that mean
that anything that is matched using pcre has not been run through

How does the matching occur? All munged by http_inspect first, then
matched by uricontent and pcre? Or first pcre, then munging by
http_inspect, then uricontent?

Who is right and will alert on the exploit (tested)? pcre using %00 or
uricontent using |00| or both?


BTW: I try to stay away from pcre due to the performance impact. Is that
fear unfounded these days (read, with newer versions of Snort)?

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 187 bytes
Desc: This is a digitally signed message part
URL: <https://lists.snort.org/pipermail/snort-sigs/attachments/20040819/9704a12c/attachment.sig>

More information about the Snort-sigs mailing list