[Snort-devel] [ snort-Bugs-571237 ] HTTP Preprocessors and unicode

noreply at ...12... noreply at ...12...
Fri Jun 21 18:23:02 EDT 2002


Bugs item #571237, was opened at 2002-06-19 11:08
You can respond by visiting: 
http://sourceforge.net/tracker/?func=detail&atid=103357&aid=571237&group_id=3357

Category: None
Group: None
Status: Open
Resolution: None
Priority: 5
Submitted By: Nobody/Anonymous (nobody)
Assigned to: Nobody/Anonymous (nobody)
Summary: HTTP Preprocessors and unicode

Initial Comment:
While testing the functions of the http_decode and 
unidecode processors of ver1.8.6.  The snort.conf file 
indicates that the preprocessor unidecode is a potential 
replacement for http_decode.  If either on of the these 
are commented out SNORT will not detect a URI with 
embedded unicode.  For example.  I entered the 
following uri

http://xxx.xxx.xxx.xxx./scripts..%255c..%
255cwinnt/....etc.....

The signature WEB_IIS .... access is not triggered.

With both preprocessors active then the rule is triggered.



----------------------------------------------------------------------

You can respond by visiting: 
http://sourceforge.net/tracker/?func=detail&atid=103357&aid=571237&group_id=3357




More information about the Snort-devel mailing list