[Snort-sigs] Snort "NORMALIZATION" question

Miso Patel miso.patel at ...2420...
Mon Feb 6 13:54:12 EST 2012

I see talk and read in the manual about "NORMALIZATION" that is done
by pre processors.  So fields like http match (http_header, http_uri,
http_cookie, http_client_body, etc.) are "NORMALIZED" (depending on
what you set in your snort .conf and compile-configure times).

My question is, what exactly does the "NORMALIZATION" does?  I can get
one of my engineers to look and the code and tell me but I thought
that perhaps there would be a good explanation of this (like one of a
"how-to" guides) although I can-not find it when searching.

For an example, what if there is http_client_body that sees a POST
'?petsolv=true&saltedPug=7&seed=many&jeryk=12Pepper', do the '=' and
'&' characters get "NORMALIZED" out or changed in any way?  This is
the specifics examples of what we are asking about.  What gets changed
and how so it?  I think many would like to read about it and can then
know for sure without doing many lab tests or getting a programmer to
read the Snort programming.

Also (my engineers want me to ask), is when you use the specific
'http' fields (http_header, etc.), what is searched?  Does the header
"name" be included in the field?  What about before and after
new-lines?  Are more than one space removed?  Do you do double decode?
(I'm not sure what this is but Vijay wanted me to ask :)

Thank you to all.

Miso, CISO

More information about the Snort-sigs mailing list