[Snort-sigs] New adobe vulnerability

Matthew Watchinski mwatchinski at ...435...
Fri Aug 20 11:16:01 EDT 2004


You can do a "pcre:/<regexhere/U" and pcre will look at the normalized 
http_inspect content buffers.

Cheers,
-matt

Frank Knobbe wrote:

>On Fri, 2004-08-20 at 10:37, nnposter at ...592... wrote:
>
>  
>
>>Yes. Only uricontent is preprocessed with http_inspect. content and pcre
>>are not.
>>    
>>
>
>Okay, so I would assume that all HTTP related rules should be crafted
>with [uri]content instead of pcre then..... to take advantage of the
>HTTP normalization by the preprocessor.
>
>In other words, pcre based rules would be easy to evade by various HTTP
>encodings, right?
>
>Cheers,
>Frank
>
>  
>





More information about the Snort-sigs mailing list