[Snort-sigs] http_preprocessor chunk_length parameter

KA L sorandomsec at ...2420...
Wed Oct 23 11:00:23 EDT 2013


Does this detect on just one chunk length being over the set limit or the
aggregate of all chunk lengths in a single session?

* chunk_length [non-zero positive integer] *
This option is an anomaly detector for abnormally large chunk sizes. This
picks
up the apache chunk encoding exploits, and may also alert on HTTP tunneling
that
uses chunk encoding.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-sigs/attachments/20131023/9ff7b907/attachment.html>


More information about the Snort-sigs mailing list