[Snort-sigs] Does HTML always escape?
mkettler at ...189...
Wed Apr 21 12:04:04 EDT 2004
At 11:01 AM 4/21/2004, Derek Edwards wrote:
>I've been away from the list for a while, so please bear with me if I've
>missed something important. Given this signature installed in Snort 1.9
>to detect an attempt to misuse MHTML in an HTML document:
>alert tcp any any -> $HOME_NET any (msg:"MTHML URL Attempt";
>flow:from_server,established; content:"ms-its|3A|mhtml|3A|"; nocase;
>sid:1000019; rev:4; )
>The HTML snippet below brings up a general question. Is there any way to
>detect this kind of HTML, given the way the leading 'm' character is escaped?
>The difficulty in supporting the variety of encodings used is covered in a
>recent "incidents-list" thread
Correct me if I'm wrong, but isn't decoding all that escape garbage the job
of the http_inspect preprocessor. (note: I'm not sure what the snort 1.9
equivalent preprocessor is named. 1.9 is so old the details have long since
escaped by memory, but I suspect it had a http decoder of some sort.)
More information about the Snort-sigs