[Snort-sigs] Snort "NORMALIZATION" question

Joel Esler jesler at ...435...
Mon Feb 6 13:57:58 EST 2012

http_header, http_client_body, http_cookie don't do normalization.

http_uri does, and it's configuration is based upon how you configure
http_inspect just like it always has.

On Mon, Feb 6, 2012 at 1:54 PM, Miso Patel <miso.patel at ...2420...> wrote:

> I see talk and read in the manual about "NORMALIZATION" that is done
> by pre processors.  So fields like http match (http_header, http_uri,
> http_cookie, http_client_body, etc.) are "NORMALIZED" (depending on
> what you set in your snort .conf and compile-configure times).
> My question is, what exactly does the "NORMALIZATION" does?  I can get
> one of my engineers to look and the code and tell me but I thought
> that perhaps there would be a good explanation of this (like one of a
> "how-to" guides) although I can-not find it when searching.
> For an example, what if there is http_client_body that sees a POST
> '?petsolv=true&saltedPug=7&seed=many&jeryk=12Pepper', do the '=' and
> '&' characters get "NORMALIZED" out or changed in any way?  This is
> the specifics examples of what we are asking about.  What gets changed
> and how so it?  I think many would like to read about it and can then
> know for sure without doing many lab tests or getting a programmer to
> read the Snort programming.
> Also (my engineers want me to ask), is when you use the specific
> 'http' fields (http_header, etc.), what is searched?  Does the header
> "name" be included in the field?  What about before and after
> new-lines?  Are more than one space removed?  Do you do double decode?
> (I'm not sure what this is but Vijay wanted me to ask :)
> Thank you to all.
> Miso, CISO
> ------------------------------------------------------------------------------
> Try before you buy = See our experts in action!
> The most comprehensive online learning library for Microsoft developers
> is just $99.99! Visual Studio, SharePoint, SQL - plus HTML5, CSS3, MVC3,
> Metro Style Apps, more. Free future releases when you subscribe now!
> http://p.sf.net/sfu/learndevnow-dev2
> _______________________________________________
> Snort-sigs mailing list
> Snort-sigs at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/snort-sigs
> http://www.snort.org
> Please visit http://blog.snort.org for the latest news about Snort!

Joel Esler | http://blog.snort.org | http://vrt-blog.snort.org |
Twitter:  http://twitter.com/snort
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-sigs/attachments/20120206/d142be2e/attachment.html>

More information about the Snort-sigs mailing list