[Snort-sigs] False negative in 3087.1 (WEB-IIS w3who.dll buffer overflow attempt)

Frank Knobbe frank at ...1978...
Wed Feb 2 20:52:53 EST 2005

> Nigel Houghton wrote:
> >http://www.snort.org/docs/snort_manual/node19.html#SECTION004510000000000000000
> >
> > "U: Match the decoded URI buffers (Similar to uricontent)"

> On Mon, 2005-01-24 at 21:01 -0500, Matt Jonkman wrote:
> Ummm. wow. When did this come around, what version? I must have missed 
> it in the changelogs. Been hoping for that for a while.
> Thanks for pointing it out Nigel. I'v got about 200+ rules to go modify.  :)

Not so fast.

I've just done some tests and adding a /U at the end of the pcre seems
to silence/break the rule.

For example, I've got tons of users requesting web pages through a
proxy, like "GET http://www.blah.com".

pcre:"/http\:\/\/www/";   will nicely match.

However, pcre:"/http\:\/\/www/U"; will not.

Seems that this is written according to manual, yet /U breaks the rule.
Any idea why?


PS: Matt, do we need to remove /U from Bleeding sigs?

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 187 bytes
Desc: This is a digitally signed message part
URL: <https://lists.snort.org/pipermail/snort-sigs/attachments/20050202/2d9eb569/attachment.sig>

More information about the Snort-sigs mailing list