[Snort-sigs] Another false positive - sid:2435

Jason security at ...704...
Sat Mar 19 12:12:18 EST 2005


Chris Keladis wrote:
> Paul Schmehl wrote:
> 
>> --On Friday, March 18, 2005 05:48:45 PM -0500 Scott Dexter 
>> <scott.dexter at ...2420...> wrote:
>>
>>>
>>> With a space you always run the chance of a false negative too,
>>
>>
>>
>> Can you give an example?
>>
>> If you're looking for files named foo.eml, what could follow eml 
>> without "screwing up" the filename?
> 
> 
> Strictly speaking, ";" comes to mind. "?" is another, or even "&" or "/".
> 
> Although looking at it in the context of the file format, EMF (not to be 
> confused with EML) is a graphics format and i dont think should ever 
> take input (but i may be wrong, never checked).
> 
> So that takes "?" out of the equation. There are probably more that i 
> have missed.


Not taking parameters does not preclude passing parameters.

http://www.snort.org/images/snort_org_03.jpg?1234=abcd

works just as well as

http://www.snort.org/images/snort_org_03.jpg

adding a space does not catch the example above

you could set a flowbit that an emf was requested and then look for an 
actual emf image returned with a bad format. The bid had sparse details 
so you would have to dig into the vuln itself to write a proper rule. I 
am generally not concerned with client side vulns so I would turn it off.






More information about the Snort-sigs mailing list