[Snort-sigs] False negative in 3087.1 (WEB-IIS w3who.dll buffer overflow attempt)
bmc at ...95...
Mon Jan 24 07:53:10 EST 2005
On Sat, Jan 22, 2005 at 09:25:43PM -0700, nnposter wrote:
> and therefore assumes that the string "w3who.dll?" in the URI is not
> encoded. Use of any valid encoding, such as "w3who%2edll?", will
> circumvent the rule.
The false negatives are known. The rule isn't using the URI buffer
since one of the more popular available exploits (metasploit) uses
tabs as a shellcode. HttpInspect has a bug where it accepts TAB as a
delimiter on IIS servers isn't accepted on systems vulnerable to
So, until that bug is fixed in HttpInspect, the rule can't use the URI
buffer to find the buffer overflow.
> Also, the dot in the PCRE should be escaped (although a chance of
> a false negative seems low).
More information about the Snort-sigs