[Snort-sigs] SID 1436: MULTIMEDIA Quicktime User Agent access
sscholz at ...2481...
Fri Aug 6 03:04:03 EDT 2004
Rule 1436 does not catch all QuickTime traffic, because of case-insensitive matching.
When opening a QuickTime connection, a string like the following can be seen:
User-Agent: QuickTime (qtver=6.5.1;os=Windows NT 5.1Service Pack 1)
The rule searched for "Quicktime" instead of "QuickTime".
I suggest adding a "nocase" flag to the rule.
Stephan Scholz <sscholz at ...2481...> | Development
Astaro AG | www.astaro.com | Phone +49-721-490069-0 | Fax -55
User Bulletin Board: http://www.astaro.org
- Certified by ICSA labs - June 2004
- Computer Reseller News: "CRN Certified Program" - June 2004
- Linux Pro Italy: Best Rating 10 out of 10 points - May 2004
- Linux Enterprise Readers' Choice Award: Best Firewall - October 2003
More information about the Snort-sigs