[Snort-sigs] Snort "NORMALIZATION" question
miso.patel at ...2420...
Mon Feb 6 13:54:12 EST 2012
I see talk and read in the manual about "NORMALIZATION" that is done
by pre processors. So fields like http match (http_header, http_uri,
http_cookie, http_client_body, etc.) are "NORMALIZED" (depending on
what you set in your snort .conf and compile-configure times).
My question is, what exactly does the "NORMALIZATION" does? I can get
one of my engineers to look and the code and tell me but I thought
that perhaps there would be a good explanation of this (like one of a
"how-to" guides) although I can-not find it when searching.
For an example, what if there is http_client_body that sees a POST
'?petsolv=true&saltedPug=7&seed=many&jeryk=12Pepper', do the '=' and
'&' characters get "NORMALIZED" out or changed in any way? This is
the specifics examples of what we are asking about. What gets changed
and how so it? I think many would like to read about it and can then
know for sure without doing many lab tests or getting a programmer to
read the Snort programming.
Also (my engineers want me to ask), is when you use the specific
'http' fields (http_header, etc.), what is searched? Does the header
"name" be included in the field? What about before and after
new-lines? Are more than one space removed? Do you do double decode?
(I'm not sure what this is but Vijay wanted me to ask :)
Thank you to all.
More information about the Snort-sigs