[Snort-devel] [Snort-Devel] bug in http preprocessor and non ascii characters

Bhagya Bantwal bbantwal at ...402...
Wed Mar 16 13:23:28 EDT 2011

You can turn on extended_ascii_uri in http_inspect_server to handle non
printable letters.

On Wed, Mar 16, 2011 at 1:02 PM, matan monitz <mmonitz at ...2499...> wrote:

> hello
> i am encountering runaway uri buffers when inspecting packets with non
> ascii characters in the uri
> what basically happens is that for some reason if the uri contains non
> printable letters (hebrew ansi from IE for instance) the uri buffer gets
> filled with header data resulting in false positives
> i haven't tested the buffers using the methods described in the recent blog
> post but have tested it with custom rules and was able to recreate the bug
> is this a known bug or some configuration option i'm missing?
>  i can post the test pcaps and rules if needed
> ------------------------------------------------------------------------------
> Colocation vs. Managed Hosting
> A question and answer guide to determining the best fit
> for your organization - today and in the future.
> http://p.sf.net/sfu/internap-sfd2d
> _______________________________________________
> Snort-devel mailing list
> Snort-devel at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/snort-devel
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-devel/attachments/20110316/5c977f1c/attachment.html>

More information about the Snort-devel mailing list