[Snort-sigs] SID 1436: MULTIMEDIA Quicktime User Agent access
alex.kirk at ...435...
Mon Aug 9 12:59:10 EDT 2004
Stephan Scholz wrote:
> Rule 1436 does not catch all QuickTime traffic, because of
> case-insensitive matching.
> When opening a QuickTime connection, a string like the following can
> be seen:
> User-Agent: QuickTime (qtver=6.5.1;os=Windows NT 5.1Service Pack 1)
> The rule searched for "Quicktime" instead of "QuickTime".
> I suggest adding a "nocase" flag to the rule.
Sounds like a valid point; I'll add a bug to make that case-insensitive
(which wouldn't even hurt if the User-Agent *is* always capitalized the
way we have it).
More information about the Snort-sigs