[Snort-sigs] False negative in 3087.1 (WEB-IIS w3who.dllbuffer overflow attempt)

Frank Knobbe frank at ...1978...
Thu Feb 3 09:00:35 EST 2005


On Thu, 2005-02-03 at 11:39 -0500, Joe Patterson wrote:
> I just did a quick bit of testing to see if a theory of mine is right, and
> it *appears* that it is.
> 
> The answer to your question is that http://www is decoded to http:/www (part
> of the normalization routines include condensing multiple ////'s into a
> single /.)
> 
> So, pcre:"/http\:\/\/www/U" doesn't match, but both pcre:"/http\:\/\/www/"
> and pcre:"/http\:\/www/U" do.

Doh! For some reason I wasn't expecting it to eat a slash :)
This explains it nicely.

Thanks a bunch Joe!

Frank

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 187 bytes
Desc: This is a digitally signed message part
URL: <https://lists.snort.org/pipermail/snort-sigs/attachments/20050203/07731952/attachment.sig>


More information about the Snort-sigs mailing list