[Snort-sigs] False negative in 3087.1 (WEB-IIS w3who.dll buffer overflow attempt)
mkettler at ...189...
Mon Jan 24 15:27:13 EST 2005
At 11:25 PM 1/22/2005, nnposter wrote:
>and therefore assumes that the string "w3who.dll?" in the URI is not
>encoded. Use of any valid encoding, such as "w3who%2edll?", will
>circumvent the rule.
Hmm, sounds like what we really need is a uripcre keyword, so that it's
searching content that's been normalized by http_inspect like uricontent is.
Unless http_inspect already normalizes data fed to pcre: keywords too, in
which case all of the above is a false assumption.
>Also, the dot in the PCRE should be escaped (although a chance of
>a false negative seems low).
Agreed. That's actualy only going to result in possible false positives.
For that matter I'd rather see the ? represented as \? instead of \x3F. But
that's purely a style issue.
More information about the Snort-sigs