[Snort-sigs] False negative in 3087.1 (WEB-IIS w3who.dllbuffer overflow attempt)

Joe Patterson jpatterson at ...2901...
Thu Feb 3 08:41:22 EST 2005


I just did a quick bit of testing to see if a theory of mine is right, and
it *appears* that it is.

The answer to your question is that http://www is decoded to http:/www (part
of the normalization routines include condensing multiple ////'s into a
single /.)

So, pcre:"/http\:\/\/www/U" doesn't match, but both pcre:"/http\:\/\/www/"
and pcre:"/http\:\/www/U" do.

-Joe

> -----Original Message-----
> From: snort-sigs-admin at lists.sourceforge.net
> [mailto:snort-sigs-admin at lists.sourceforge.net]On Behalf Of Frank Knobbe
> Sent: Thursday, February 03, 2005 2:36 AM
> To: Nigel Houghton
> Cc: snort-sigs at lists.sourceforge.net
> Subject: Re: [Snort-sigs] False negative in 3087.1 (WEB-IIS
> w3who.dllbuffer overflow attempt)
>
>
> On Wed, 2005-02-02 at 23:08 -0600, Nigel Houghton wrote:
>
> > > However, pcre:"/http\:\/\/www/U"; will not.
> > >
> > > Seems that this is written according to manual, yet /U breaks
> the rule.
> > > Any idea why?
> >
> >   "Match the _decoded_ URI buffers (Similar to _uricontent_)"
>
>
> Uhm... yeah? http://www in... so what is that decoded to? Other than
> http://www?
>
> Perhaps I'm not seeing the tree at the end of the tunnel... ;)
> Later,
> Frank
>
>





More information about the Snort-sigs mailing list