[Snort-sigs] False negative in 3087.1 (WEB-IIS w3who.dll buffer overflow attempt)

Frank Knobbe frank at ...1978...
Thu Feb 3 09:09:16 EST 2005


On Thu, 2005-02-03 at 07:22 -0600, Nigel Houghton wrote:
> You wouldn't use "http://" with uricontent now would you?

Yes you would. Every URI request going through a proxy server looks like
this:  "GET http://www.host.com/blah.html"

So the http:// is part of the URI.

I just spent hours last night retrofitting Bleeding rules so that any
"GET /" or "POST /" matches (which would fail on proxied connections)
would also recognize host names.

I see only two rules in the Snort rule set that might be affected,
sid:306 and sid:1881. The nature of these rules do not warrant a change,
though. They are fine.

Regards,
Frank

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 187 bytes
Desc: This is a digitally signed message part
URL: <https://lists.snort.org/pipermail/snort-sigs/attachments/20050203/c8deafbc/attachment.sig>


More information about the Snort-sigs mailing list