[Snort-sigs] False negative in 3087.1 (WEB-IIS w3who.dll buffer overflow attempt)

Nigel Houghton nigel at ...435...
Wed Feb 2 21:16:04 EST 2005


On  0, Frank Knobbe <frank at ...1978...> allegedly wrote:
> > Nigel Houghton wrote:
> > 
> > >http://www.snort.org/docs/snort_manual/node19.html#SECTION004510000000000000000
> > >
> > > "U: Match the decoded URI buffers (Similar to uricontent)"
> 
> > On Mon, 2005-01-24 at 21:01 -0500, Matt Jonkman wrote:
> > Ummm. wow. When did this come around, what version? I must have missed 
> > it in the changelogs. Been hoping for that for a while.
> > 
> > Thanks for pointing it out Nigel. I'v got about 200+ rules to go modify.  :)
> 
> Not so fast.
> 
> I've just done some tests and adding a /U at the end of the pcre seems
> to silence/break the rule.
> 
> For example, I've got tons of users requesting web pages through a
> proxy, like "GET http://www.blah.com".
> 
> pcre:"/http\:\/\/www/";   will nicely match.
> 
> However, pcre:"/http\:\/\/www/U"; will not.
> 
> Seems that this is written according to manual, yet /U breaks the rule.
> Any idea why?

  "Match the _decoded_ URI buffers (Similar to _uricontent_)"

+--------------------------------------------------------------------+
     Nigel Houghton      Research Engineer       Sourcefire Inc.
                   Vulnerability Research Team

   Stewie: This is treason.. for God sakes Peter make an example of
   her.. nothing says 'obey me' like a bloody head on a fence post.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: not available
URL: <https://lists.snort.org/pipermail/snort-sigs/attachments/20050202/b04b48b0/attachment.sig>


More information about the Snort-sigs mailing list