[Snort-sigs] on rules and http preprocessor (a comment)

Fyodor fygrave at ...1...
Mon Oct 9 08:26:52 EDT 2000


By the way just was testing snort rules and noticed that snort doesn't
trigger alert if you have a rule saying `content: "%20%2e.blah"', and have
an http preprocessor enabled. instead you will have to use `content: |20 2e|.blah'
or something... but as you see it will also match a packet which contained ` ..blah'
data f.e. In most cases it would be the same but some rules are looking for
%2e%2e%2e packets explictly.. for this case we will have to thing of the way around, if possible..

Any thoughts would be welcome of course ;-)


-Fyodor



More information about the Snort-sigs mailing list