[Snort-sigs] False negative in 3087.1 (WEB-IIS w3who.dll buffer overflow attempt)

Nigel Houghton nigel at ...435...
Mon Jan 24 15:49:29 EST 2005


On  0, Matt Kettler <mkettler at ...189...> allegedly wrote:
> At 11:25 PM 1/22/2005, nnposter wrote:
> >    pcre:"/w3who.dll\x3F[^\r\n]{519}/i"
> >
> >and therefore assumes that the string "w3who.dll?" in the URI is not
> >encoded. Use of any valid encoding, such as "w3who%2edll?", will
> >circumvent the rule.
> 
> Hmm, sounds like what we really need is a uripcre keyword, so that it's 
> searching content that's been normalized by http_inspect like uricontent 
> is.

http://www.snort.org/docs/snort_manual/node19.html#SECTION004510000000000000000

 "U: Match the decoded URI buffers (Similar to uricontent)"

+-----------------------------------------------------------------+
    Nigel Houghton      Research Engineer       Sourcefire Inc.
                  Vulnerability Research Team

 Stewie: You know, I rather like this God fellow. Very theatrical, 
         you know. Pestilence here, a plague there. Omnipotence 
				 ...gotta get me some of that.




More information about the Snort-sigs mailing list