[Snort-devel] bug in spp_http_decode.c - patch included

Chris Green cmg at ...402...
Sun Mar 31 18:31:11 EST 2002


"Oliver Friesen" <oliver_friesen at ...445...> writes:

> System Architecture: x86
> Operating System and version: Linux 2.4.5
> What rules (if any) you were using: out of the box defaults
> What command line switches you were using: -X -c -l
> Any Snort error messages: n/a
>
> http_decode doesn't correctly adjust the packet size or move forward
> the remainder of the request after it has converted escaped
> characters. I discovered this problem due to an actual attack.

Munging the packet is a kludge and always has been unfortunately.  In
the head branch, I just made some (untested for Unicode stuff) changes
to only use URI.uri and actually munge the packet.

I'll look at your changes for 1.8.5 tommorrow
-- 
Chris Green <cmg at ...402...>
Laugh and the world laughs with you, snore and you sleep alone.




More information about the Snort-devel mailing list