[Snort-sigs] False negative in 3087.1 (WEB-IIS w3who.dll buffer overflow attempt)

Nigel Houghton nigel at ...435...
Thu Feb 3 09:19:55 EST 2005


On  0, Frank Knobbe <frank at ...1978...> allegedly wrote:
> On Thu, 2005-02-03 at 07:22 -0600, Nigel Houghton wrote:
> > You wouldn't use "http://" with uricontent now would you?
> 
> Yes you would. Every URI request going through a proxy server looks like
> this:  "GET http://www.host.com/blah.html"

Sorry didn't realize you were analyzing proxy traffic. Looking back at
your other posts I don't know how I missed that, duh!

You'll have to get rid of a "/" in the http:// for the request to the
proxy then.

> So the http:// is part of the URI.
> 
> I just spent hours last night retrofitting Bleeding rules so that any
> "GET /" or "POST /" matches (which would fail on proxied connections)
> would also recognize host names.
> 
> I see only two rules in the Snort rule set that might be affected,
> sid:306 and sid:1881. The nature of these rules do not warrant a change,
> though. They are fine.
> 
> Regards,
> Frank

+--------------------------------------------------------------------+
     Nigel Houghton      Research Engineer       Sourcefire Inc.
                   Vulnerability Research Team

   Stewie: This is treason.. for God sakes Peter make an example of
   her.. nothing says 'obey me' like a bloody head on a fence post.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: not available
URL: <https://lists.snort.org/pipermail/snort-sigs/attachments/20050203/1f3a3f8e/attachment.sig>


More information about the Snort-sigs mailing list