Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Snort-Signatures
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: [Snort-sigs] Another false positive - sid:2435

from [Jason] Network Security [Permanent Link]
Subject: Re: [Snort-sigs] Another false positive - sid:2435
Date: Sat, 19 Mar 2005 15:11:34 -0500


Chris Keladis wrote: 
Paul Schmehl wrote:

--On Friday, March 18, 2005 05:48:45 PM -0500 Scott Dexter <scott.dexter@gmail.com> wrote:


With a space you always run the chance of a false negative too, 



Can you give an example?

If you're looking for files named foo.eml, what could follow eml without "screwing up" the filename? 


Strictly speaking, ";" comes to mind. "?" is another, or even "&" or "/".

Although looking at it in the context of the file format, EMF (not to be confused with EML) is a graphics format and i dont think should ever take input (but i may be wrong, never checked).

So that takes "?" out of the equation. There are probably more that i have missed. 


Not taking parameters does not preclude passing parameters.

http://www.snort.org/images/snort_org_03.jpg?1234=abcd

works just as well as

http://www.snort.org/images/snort_org_03.jpg

adding a space does not catch the example above

you could set a flowbit that an emf was requested and then look for an actual emf image returned with a bad format. The bid had sparse details so you would have to dig into the vuln itself to write a proper rule. I am generally not concerned with client side vulns so I would turn it off.




-------------------------------------------------------
SF email is sponsored by - The IT Product Guide
Read honest & candid reviews on hundreds of IT Products from real users.
Discover which products truly live up to the hype. Start reading now.
http://ads.osdn.com/?ad_id=6595&alloc_id=14396&op=click
_______________________________________________
Snort-sigs mailing list
Snort-sigs@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/snort-sigs

[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  [Snort-sigs] rules vs. thresholding, Lee Clemens
Next by Date:  Re: [Snort-sigs] False positive - sid 1365, Jason
Previous by Thread:  Re: [Snort-sigs] Another false positive - sid:2435, Chris Keladis
Next by Thread:  [Snort-sigs] rules vs. thresholding, Lee Clemens
Indexes:  [Date] [Thread] [Top] [All Lists]