[Snort-devel] [Snort-Devel] bug in http preprocessor and non ascii characters 2.8.6.1

Bhagya Bantwal bbantwal at ...402...
Fri Mar 18 10:56:13 EDT 2011


I dont really see a side effect. If you have a set up which sees a lot of
HTTp traffic with extended ascii or unicode URI I would  suggest using this
option.

The URI buffer pointing to entire header when this option is not turned on
will be fixed soon.

-B
On Wed, Mar 16, 2011 at 5:43 PM, matan monitz <mmonitz at ...2499...> wrote:

> thank you, that helped
> are there supposed to be any negative side effects to this option?
>
>
> On Wed, Mar 16, 2011 at 7:23 PM, Bhagya Bantwal <bbantwal at ...402...>wrote:
>
>>
>> You can turn on extended_ascii_uri in http_inspect_server to handle non
>> printable letters.
>>
>> -B
>> On Wed, Mar 16, 2011 at 1:02 PM, matan monitz <mmonitz at ...2499...> wrote:
>>
>>> hello
>>> i am encountering runaway uri buffers when inspecting packets with non
>>> ascii characters in the uri
>>> what basically happens is that for some reason if the uri contains non
>>> printable letters (hebrew ansi from IE for instance) the uri buffer gets
>>> filled with header data resulting in false positives
>>> i haven't tested the buffers using the methods described in the recent
>>> blog post but have tested it with custom rules and was able to recreate the
>>> bug
>>> is this a known bug or some configuration option i'm missing?
>>>  i can post the test pcaps and rules if needed
>>>
>>>
>>>
>>> ------------------------------------------------------------------------------
>>> Colocation vs. Managed Hosting
>>> A question and answer guide to determining the best fit
>>> for your organization - today and in the future.
>>> http://p.sf.net/sfu/internap-sfd2d
>>> _______________________________________________
>>> Snort-devel mailing list
>>> Snort-devel at lists.sourceforge.net
>>> https://lists.sourceforge.net/lists/listinfo/snort-devel
>>>
>>>
>>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-devel/attachments/20110318/076d14f8/attachment.html>


More information about the Snort-devel mailing list