[Snort-sigs] Another false positive - sid:2435

Jason security at ...704...
Sat Mar 19 12:12:18 EST 2005

Chris Keladis wrote:
> Paul Schmehl wrote:
>> --On Friday, March 18, 2005 05:48:45 PM -0500 Scott Dexter 
>> <scott.dexter at ...2420...> wrote:
>>> With a space you always run the chance of a false negative too,
>> Can you give an example?
>> If you're looking for files named foo.eml, what could follow eml 
>> without "screwing up" the filename?
> Strictly speaking, ";" comes to mind. "?" is another, or even "&" or "/".
> Although looking at it in the context of the file format, EMF (not to be 
> confused with EML) is a graphics format and i dont think should ever 
> take input (but i may be wrong, never checked).
> So that takes "?" out of the equation. There are probably more that i 
> have missed.

Not taking parameters does not preclude passing parameters.


works just as well as


adding a space does not catch the example above

you could set a flowbit that an emf was requested and then look for an 
actual emf image returned with a bad format. The bid had sparse details 
so you would have to dig into the vuln itself to write a proper rule. I 
am generally not concerned with client side vulns so I would turn it off.

More information about the Snort-sigs mailing list