[Snort-sigs] Another false positive - sid:2435
security at ...704...
Sat Mar 19 12:12:18 EST 2005
Chris Keladis wrote:
> Paul Schmehl wrote:
>> --On Friday, March 18, 2005 05:48:45 PM -0500 Scott Dexter
>> <scott.dexter at ...2420...> wrote:
>>> With a space you always run the chance of a false negative too,
>> Can you give an example?
>> If you're looking for files named foo.eml, what could follow eml
>> without "screwing up" the filename?
> Strictly speaking, ";" comes to mind. "?" is another, or even "&" or "/".
> Although looking at it in the context of the file format, EMF (not to be
> confused with EML) is a graphics format and i dont think should ever
> take input (but i may be wrong, never checked).
> So that takes "?" out of the equation. There are probably more that i
> have missed.
Not taking parameters does not preclude passing parameters.
works just as well as
adding a space does not catch the example above
you could set a flowbit that an emf was requested and then look for an
actual emf image returned with a bad format. The bid had sparse details
so you would have to dig into the vuln itself to write a proper rule. I
am generally not concerned with client side vulns so I would turn it off.
More information about the Snort-sigs