[Snort-sigs] False negative in 3087.1 (WEB-IIS w3who.dll buffer overflow attempt)

Nigel Houghton nigel at ...435...
Thu Feb 3 05:31:43 EST 2005


On  0, Frank Knobbe <frank at ...1978...> allegedly wrote:
> On Wed, 2005-02-02 at 23:08 -0600, Nigel Houghton wrote:
> 
> > > However, pcre:"/http\:\/\/www/U"; will not.
> > > 
> > > Seems that this is written according to manual, yet /U breaks the rule.
> > > Any idea why?
> > 
> >   "Match the _decoded_ URI buffers (Similar to _uricontent_)"
> 
> 
> Uhm... yeah? http://www in... so what is that decoded to? Other than
> http://www?

You wouldn't use "http://" with uricontent now would you?

+--------------------------------------------------------------------+
     Nigel Houghton      Research Engineer       Sourcefire Inc.
                   Vulnerability Research Team

   Stewie: This is treason.. for God sakes Peter make an example of
   her.. nothing says 'obey me' like a bloody head on a fence post.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: not available
URL: <https://lists.snort.org/pipermail/snort-sigs/attachments/20050203/32b4940b/attachment.sig>


More information about the Snort-sigs mailing list