I just did a quick bit of testing to see if a theory of mine is right, and
it *appears* that it is.
The answer to your question is that http://www is decoded to http:/www (part
of the normalization routines include condensing multiple ////'s into a
single /.)
So, pcre:"/http\:\/\/www/U" doesn't match, but both pcre:"/http\:\/\/www/"
and pcre:"/http\:\/www/U" do.
-Joe
-----Original Message-----
From: snort-sigs-admin@lists.sourceforge.net
[mailto:snort-sigs-admin@lists.sourceforge.net]On Behalf Of Frank Knobbe
Sent: Thursday, February 03, 2005 2:36 AM
To: Nigel Houghton
Cc: snort-sigs@lists.sourceforge.net
Subject: Re: [Snort-sigs] False negative in 3087.1 (WEB-IIS
w3who.dllbuffer overflow attempt)
On Wed, 2005-02-02 at 23:08 -0600, Nigel Houghton wrote:
However, pcre:"/http\:\/\/www/U"; will not.
Seems that this is written according to manual, yet /U breaks
the rule.
Any idea why?
"Match the _decoded_ URI buffers (Similar to _uricontent_)"
Uhm... yeah? http://www in... so what is that decoded to? Other than
http://www?
Perhaps I'm not seeing the tree at the end of the tunnel... ;)
Later,
Frank
-------------------------------------------------------
This SF.Net email is sponsored by: IntelliVIEW -- Interactive Reporting
Tool for open source databases. Create drag-&-drop reports. Save time
by over 75%! Publish reports on the web. Export to DOC, XLS, RTF, etc.
Download a FREE copy at http://www.intelliview.com/go/osdn_nl
_______________________________________________
Snort-sigs mailing list
Snort-sigs@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/snort-sigs
