[Snort-sigs] SID 1436: MULTIMEDIA Quicktime User Agent access

Alex Kirk alex.kirk at ...435...
Mon Aug 9 12:59:10 EDT 2004


Stephan Scholz wrote:

> Rule 1436 does not catch all QuickTime traffic, because of 
> case-insensitive matching.
> When opening a QuickTime connection, a string like the following can 
> be seen:
>
> User-Agent: QuickTime (qtver=6.5.1;os=Windows NT 5.1Service Pack 1)
>
> The rule searched for "Quicktime" instead of "QuickTime".
> I suggest adding a "nocase" flag to the rule.
>
> Regards,
> Stephan
>
>
Sounds like a valid point; I'll add a bug to make that case-insensitive 
(which wouldn't even hurt if the User-Agent *is* always capitalized the 
way we have it).

Alex Kirk
Research Analyst
Sourcefire, Inc.




More information about the Snort-sigs mailing list