[Snort-sigs] False negative in 3087.1 (WEB-IIS w3who.dll buffer overflow attempt)

nnposter nnposter at ...592...
Sat Jan 22 20:26:37 EST 2005

Rule: WEB-IIS w3who.dll buffer overflow attempt

Sid: 3087

False Negatives:
The rule uses the following PCRE:


and therefore assumes that the string "w3who.dll?" in the URI is not 
encoded. Use of any valid encoding, such as "w3who%2edll?", will 
circumvent the rule.

Also, the dot in the PCRE should be escaped (although a chance of 
a false negative seems low).


More information about the Snort-sigs mailing list