[Snort-sigs] False negative in 3087.1 (WEB-IIS w3who.dll buffer overflow attempt)

Brian bmc at ...95...
Tue Jan 25 07:36:04 EST 2005


On Tue, Jan 25, 2005 at 12:25:25AM -0700, nnposter wrote:
> I am not sure that it needs to use the URI buffer to identify a long URI. 
> Could it not use uriconent to verify that w3who.dll is present and then
> a non-URI PCRE looking for a long HTTP request line (but not necessarily
> verifying that it includes w3who.dll)? Something like
> 
>     /^\s*[A-Z]+ +[^ \n]{519}/m

That generates false positives on various pcap I have laying around :(

The proper thing is to fix the http inspect profile for IIS.

Brian




More information about the Snort-sigs mailing list