[Snort-devel] [Snort-Devel] bug in http preprocessor and non ascii characters

matan monitz mmonitz at ...2499...
Wed Mar 16 17:43:27 EDT 2011

thank you, that helped
are there supposed to be any negative side effects to this option?

On Wed, Mar 16, 2011 at 7:23 PM, Bhagya Bantwal <bbantwal at ...402...>wrote:

> You can turn on extended_ascii_uri in http_inspect_server to handle non
> printable letters.
> -B
> On Wed, Mar 16, 2011 at 1:02 PM, matan monitz <mmonitz at ...2499...> wrote:
>> hello
>> i am encountering runaway uri buffers when inspecting packets with non
>> ascii characters in the uri
>> what basically happens is that for some reason if the uri contains non
>> printable letters (hebrew ansi from IE for instance) the uri buffer gets
>> filled with header data resulting in false positives
>> i haven't tested the buffers using the methods described in the recent
>> blog post but have tested it with custom rules and was able to recreate the
>> bug
>> is this a known bug or some configuration option i'm missing?
>>  i can post the test pcaps and rules if needed
>> ------------------------------------------------------------------------------
>> Colocation vs. Managed Hosting
>> A question and answer guide to determining the best fit
>> for your organization - today and in the future.
>> http://p.sf.net/sfu/internap-sfd2d
>> _______________________________________________
>> Snort-devel mailing list
>> Snort-devel at lists.sourceforge.net
>> https://lists.sourceforge.net/lists/listinfo/snort-devel
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-devel/attachments/20110316/8efae426/attachment.html>

More information about the Snort-devel mailing list