[Snort-sigs] False negative in 3087.1 (WEB-IIS w3who.dll buffer overflow attempt)
nnposter at ...592...
Sat Jan 22 20:26:37 EST 2005
Rule: WEB-IIS w3who.dll buffer overflow attempt
The rule uses the following PCRE:
and therefore assumes that the string "w3who.dll?" in the URI is not
encoded. Use of any valid encoding, such as "w3who%2edll?", will
circumvent the rule.
Also, the dot in the PCRE should be escaped (although a chance of
a false negative seems low).
More information about the Snort-sigs