[Snort-sigs] False negative in 3087.1 (WEB-IIS w3who.dll buffer overflow attempt)

Matt Kettler mkettler at ...189...
Mon Jan 24 15:27:13 EST 2005


At 11:25 PM 1/22/2005, nnposter wrote:
>     pcre:"/w3who.dll\x3F[^\r\n]{519}/i"
>
>and therefore assumes that the string "w3who.dll?" in the URI is not
>encoded. Use of any valid encoding, such as "w3who%2edll?", will
>circumvent the rule.

Hmm, sounds like what we really need is a uripcre keyword, so that it's 
searching content that's been normalized by http_inspect like uricontent is.

Unless http_inspect already normalizes data fed to pcre: keywords too, in 
which case all of the above is a false assumption.

>Also, the dot in the PCRE should be escaped (although a chance of
>a false negative seems low).

Agreed. That's actualy only going to result in possible false positives.

For that matter I'd rather see the ? represented as \? instead of \x3F. But 
that's purely a style issue.





More information about the Snort-sigs mailing list