TO UNSUBSCRIBE: email "unsubscribe issforum" in the body of your message to
[EMAIL PROTECTED] Contact [EMAIL PROTECTED] for help with any problems!
----------------------------------------------------------------------------
Not sure if this made it through to the list... the list seems to take 2+
days to send anything!
> -----Original Message-----
> From: Craig Humphrey
> Sent: Thursday, August 02, 2001 10:08 AM
> To: [EMAIL PROTECTED]
> Subject: RE: Code Red for RealSecure
>
>
> Hi Jim,
>
> doesn't this mean that:
>
> A) A site that genuinely uses default.ida is going to get
> continuous false positives.
>
> B) A minor variant of CodeRed could request
> "somekindoffilename.ida?NNN...." and it would slip right by
> the signature.
>
> It does seem to be an overly specific and short sighted signature.
> Wouldn't a better signature be something along the lines of:
> /[^\.]*\.ida?[^=]{XX,}=$
>
> Excuse my poor regex, but I think that's OK.
> Where XX is the length required to cause the buffer overflow.
>
> This would trap any request aimed at the .ida files, but only
> ones that had query's that were long enough to cause a buffer
> overflow.
>
> Just my 2c. Thoughts anyone?
>
> Later'ish
> Craig
> [if you're going to wear a condom, make sure it's not made of
> Swiss cheese]
>
>
>
> > The back-slash \ in default\.ida$ is there to indicate to
> the RS regex
> > parser that the period is to be read literally as a period
> > and NOT to be
> > considered a period meta-chracter ( a regex period = 1
> > character of any
> > description, except newline). And having default.ida on your
> > system is all
> > you need for an indication that the VULNERABILITY is there,
> > so looking for a
> > GET of default.ida is all you need to indicate that the
> > THREAT is there. Of
> > course, you could always add the binary code portion of the
> > attack at the
> > end of the packet, but why type more when less will do?
> >
> > BTW, the folks at ISS Support educated me on the $ (EOL
> > indicator) in teh
> > suggested deault\.ida$ string recommendation. Using a User
> > Defined Event
> > context of URL Data, any part of the line that includes CGI
> parameters
> > (including the ? and all subsequent data) is not passed to
> > the RS parser.
> > So the GET line effectively ends for the RS parser at the end of the
> > default.ida phrase. Hence default\.ida$
> >
> > Jim Lindley
