[Snort-devel] http_decode issue

Chris Green cmg at ...81...
Wed Nov 28 14:41:02 EST 2001


Trying to document conversations to increase chances of recall

Ryan Russel was pointing out

web-misc.rules:alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 80
(msg:"WEB-MISC ROXEN directory list attempt"; flags: A+;
 content:"|2F 25 30 30 2F|";
 nocase;reference:bugtraq,1510; reference:cve,CVE-2000-0671;
  classtype:attempted-recon; sid:1109; rev:1;)

which is a confusing way to say 
content:"/%00/"; wasn't alerting on

GET /%00/

Turns out that it does alert on

content:"/|00|/"
uricontent: "/|00|/"

Is there a way to specify the raw data of a packet to a rule?

Note that for testing I was using

preprocessor http_decode: 80 -unicode -cginull
-- 
Chris Green <cmg at ...81...>
"Yeah, but you're taking the universe out of context."




More information about the Snort-devel mailing list