[Snort-sigs] SID 1436: MULTIMEDIA Quicktime User Agent access

Stephan Scholz sscholz at ...2481...
Fri Aug 6 03:04:03 EDT 2004


Rule 1436 does not catch all QuickTime traffic, because of case-insensitive matching.
When opening a QuickTime connection, a string like the following can be seen:

User-Agent: QuickTime (qtver=6.5.1;os=Windows NT 5.1Service Pack 1)

The rule searched for "Quicktime" instead of "QuickTime".
I suggest adding a "nocase" flag to the rule.

Regards,
Stephan


-- 
Stephan Scholz <sscholz at ...2481...> | Development
Astaro AG | www.astaro.com | Phone +49-721-490069-0 | Fax -55

Documentation: http://docs.astaro.org
User Bulletin Board: http://www.astaro.org

- Certified by ICSA labs - June 2004
- Computer Reseller News: "CRN Certified Program" - June 2004
- Linux Pro Italy: Best Rating 10 out of 10 points - May 2004
- Linux Enterprise Readers' Choice Award: Best Firewall - October 2003





More information about the Snort-sigs mailing list