[Snort-sigs] False negative in 3087.1 (WEB-IIS w3who.dll buffer overflow attempt)

nnposter nnposter at ...592...
Sat Jan 22 20:26:37 EST 2005


Rule: WEB-IIS w3who.dll buffer overflow attempt

--
Sid: 3087

--
False Negatives:
The rule uses the following PCRE:

    pcre:"/w3who.dll\x3F[^\r\n]{519}/i"

and therefore assumes that the string "w3who.dll?" in the URI is not 
encoded. Use of any valid encoding, such as "w3who%2edll?", will 
circumvent the rule.

Also, the dot in the PCRE should be escaped (although a chance of 
a false negative seems low).

Cheers,
nnposter




More information about the Snort-sigs mailing list