[Snort-sigs] New adobe vulnerability
mwatchinski at ...435...
Fri Aug 20 11:16:01 EDT 2004
You can do a "pcre:/<regexhere/U" and pcre will look at the normalized
http_inspect content buffers.
Frank Knobbe wrote:
>On Fri, 2004-08-20 at 10:37, nnposter at ...592... wrote:
>>Yes. Only uricontent is preprocessed with http_inspect. content and pcre
>Okay, so I would assume that all HTTP related rules should be crafted
>with [uri]content instead of pcre then..... to take advantage of the
>HTTP normalization by the preprocessor.
>In other words, pcre based rules would be easy to evade by various HTTP
More information about the Snort-sigs