[Snort-sigs] Does HTML always escape?

Matt Kettler mkettler at ...189...
Wed Apr 21 12:04:04 EDT 2004

At 11:01 AM 4/21/2004, Derek Edwards wrote:
>I've been away from the list for a while, so please bear with me if I've 
>missed something important.  Given this signature installed in Snort 1.9 
>to detect an attempt to misuse MHTML in an HTML document:
>alert tcp any any -> $HOME_NET any (msg:"MTHML URL Attempt"; 
>flow:from_server,established; content:"ms-its|3A|mhtml|3A|"; nocase; 
>reference:cve,CAN-2004-0380; classtype:web-application-attack; 
>sid:1000019; rev:4; )
>The HTML snippet below brings up a general question.  Is there any way to 
>detect this kind of HTML, given the way the leading 'm' character is escaped?
>The difficulty in supporting the variety of encodings used is covered in a 
>recent "incidents-list" thread 

Correct me if I'm wrong, but isn't decoding all that escape garbage the job 
of the http_inspect preprocessor. (note: I'm not sure what the snort 1.9 
equivalent preprocessor is named. 1.9 is so old the details have long since 
escaped by memory, but I suspect it had a http decoder of some sort.)

More information about the Snort-sigs mailing list