[Snort-sigs] New adobe vulnerability

Frank Knobbe frank at ...1978...
Fri Aug 20 09:50:07 EDT 2004


On Fri, 2004-08-20 at 10:37, nnposter at ...592... wrote:

> Yes. Only uricontent is preprocessed with http_inspect. content and pcre
> are not.

Okay, so I would assume that all HTTP related rules should be crafted
with [uri]content instead of pcre then..... to take advantage of the
HTTP normalization by the preprocessor.

In other words, pcre based rules would be easy to evade by various HTTP
encodings, right?

Cheers,
Frank

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 187 bytes
Desc: This is a digitally signed message part
URL: <https://lists.snort.org/pipermail/snort-sigs/attachments/20040820/0c9ac835/attachment.sig>


More information about the Snort-sigs mailing list