[Snort-sigs] Unknown IIS Issue
matt at ...2436...
Wed Jul 28 11:45:51 EDT 2004
I didn't really compare to the original rule. It wasn't hitting when the
thcownziis was, but I didn't look into it since I had a rule that was
So I can't say yes or no without going back and running the exploit and
getting a new packet dump.
Frank Knobbe wrote:
> On Wed, 2004-07-28 at 13:25, Matthew Jonkman wrote:
>>I am certain they were real. I've grabbed the exploit code and run it
>>myself and got the same string in the same place in the stream. That's
>>good enough for me to be sure.
> So, are you saying the other rule is broken, possibly because it is
> using an offset which doesn't match the real exploit(s)? In other words,
> would it be better to match the string without an offset?
More information about the Snort-sigs