[Snort-sigs] False negative in 3087.1 (WEB-IIS w3who.dll buffer overflow attempt)

Brian bmc at ...95...
Mon Jan 24 07:53:10 EST 2005

On Sat, Jan 22, 2005 at 09:25:43PM -0700, nnposter wrote:
>     pcre:"/w3who.dll\x3F[^\r\n]{519}/i"
> and therefore assumes that the string "w3who.dll?" in the URI is not 
> encoded. Use of any valid encoding, such as "w3who%2edll?", will 
> circumvent the rule.

The false negatives are known.  The rule isn't using the URI buffer
since one of the more popular available exploits (metasploit) uses
tabs as a shellcode.  HttpInspect has a bug where it accepts TAB as a
delimiter on IIS servers isn't accepted on systems vulnerable to

So, until that bug is fixed in HttpInspect, the rule can't use the URI
buffer to find the buffer overflow.

> Also, the dot in the PCRE should be escaped (although a chance of 
> a false negative seems low).



More information about the Snort-sigs mailing list