[Snort-sigs] False negative in 3087.1 (WEB-IIS w3who.dllbuffer overflow attempt)
frank at ...1978...
Thu Feb 3 09:00:35 EST 2005
On Thu, 2005-02-03 at 11:39 -0500, Joe Patterson wrote:
> I just did a quick bit of testing to see if a theory of mine is right, and
> it *appears* that it is.
> The answer to your question is that http://www is decoded to http:/www (part
> of the normalization routines include condensing multiple ////'s into a
> single /.)
> So, pcre:"/http\:\/\/www/U" doesn't match, but both pcre:"/http\:\/\/www/"
> and pcre:"/http\:\/www/U" do.
Doh! For some reason I wasn't expecting it to eat a slash :)
This explains it nicely.
Thanks a bunch Joe!
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 187 bytes
Desc: This is a digitally signed message part
More information about the Snort-sigs