[Snort-sigs] Unknown IIS Issue

Matthew Jonkman matt at ...2436...
Wed Jul 28 11:45:51 EDT 2004

I didn't really compare to the original rule. It wasn't hitting when the 
thcownziis was, but I didn't look into it since I had a rule that was 

So I can't say yes or no without going back and running the exploit and 
getting a new packet dump.


Frank Knobbe wrote:

> On Wed, 2004-07-28 at 13:25, Matthew Jonkman wrote:
>>I am certain they were real. I've grabbed the exploit code and run it 
>>myself and got the same string in the same place in the stream. That's 
>>good enough for me to be sure.
> So, are you saying the other rule is broken, possibly because it is
> using an offset which doesn't match the real exploit(s)? In other words,
> would it be better to match the string without an offset?
> Later,
> Frank

More information about the Snort-sigs mailing list