[Snort-sigs] SID 1042 false positives: WEB-IIS view source via translate header

Jason Haar Jason.Haar at ...651...
Sun Dec 7 14:05:00 EST 2003

On Sat, 2003-12-06 at 04:42, Brian wrote:
> You can't be sure that you are going to see a "GET" in the same packet,
> which is why we don't search for it.

That brings up an interesting point. As the rule contains
"flow:to_server, established;", doesn't that mean that this rule should
match against the entire data stream sent from the client?

Just how does Snort "do" that kind of thing? I understand that could
easily be a Gb datastream - which would sort of crash snort - so just
how does this "flow" stuff work at the rule level?


Jason Haar
Information Security Manager, Trimble Navigation Ltd.
Phone: +64 3 9635 377 Fax: +64 3 9635 417
PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1

More information about the Snort-sigs mailing list