[Snort-sigs] New adobe vulnerability

frank at ...1978... frank at ...1978...
Fri Aug 20 12:19:01 EDT 2004


Frank Knobbe <frank at ...1978...> wrote:
> On Fri, 2004-08-20 at 10:37, nnposter at ...592... wrote:
> > Yes. Only uricontent is preprocessed with http_inspect. content and pcre
> > are not.
> 
> Okay, so I would assume that all HTTP related rules should be crafted
> with [uri]content instead of pcre then..... to take advantage of the
> HTTP normalization by the preprocessor.

Only uricontent takes advantage of http_inspect, not content.

> In other words, pcre based rules would be easy to evade by various HTTP
> encodings, right?

As you have said, the URI normalization is a tremendous help. On the 
other hand both uricontent and content lack the precision of PCRE so 
in some cases it makes sense to start with uricontent and add PCRE to 
weed out false positives.

You can request PCRE matching against normalized URIs by specifying 
undocumented modifier "U", such as:

    pcre:"/foo.+\.pdf\x00.+bar/iU";

but the performance issue is still there.

Cheers,
nnposter




More information about the Snort-sigs mailing list