[Snort-sigs] False negative in 3087.1 (WEB-IIS w3who.dll buffer overflow attempt)
frank at ...1978...
Wed Feb 2 20:52:53 EST 2005
> Nigel Houghton wrote:
> > "U: Match the decoded URI buffers (Similar to uricontent)"
> On Mon, 2005-01-24 at 21:01 -0500, Matt Jonkman wrote:
> Ummm. wow. When did this come around, what version? I must have missed
> it in the changelogs. Been hoping for that for a while.
> Thanks for pointing it out Nigel. I'v got about 200+ rules to go modify. :)
Not so fast.
I've just done some tests and adding a /U at the end of the pcre seems
to silence/break the rule.
For example, I've got tons of users requesting web pages through a
proxy, like "GET http://www.blah.com".
pcre:"/http\:\/\/www/"; will nicely match.
However, pcre:"/http\:\/\/www/U"; will not.
Seems that this is written according to manual, yet /U breaks the rule.
Any idea why?
PS: Matt, do we need to remove /U from Bleeding sigs?
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 187 bytes
Desc: This is a digitally signed message part
More information about the Snort-sigs