[Snort-users] on rules and http preprocessor (a comment)

Martin Roesch roesch at ...421...
Sat Oct 14 02:19:30 EDT 2000


All rules should use normalized or hex encoded values, not URI encoded ones. 
That's what the http_decode preprocessor is for... :)

    -Marty

Fyodor wrote:
> 
> By the way just was testing snort rules and noticed that snort doesn't
> trigger alert if you have a rule saying `content: "%20%2e.blah"', and have
> an http preprocessor enabled. instead you will have to use `content: |20 2e|.blah'
> or something... but as you see it will also match a packet which contained ` ..blah'
> data f.e. In most cases it would be the same but some rules are looking for
> %2e%2e%2e packets explictly.. for this case we will have to thing of the way around, if possible..
> 
> Any thoughts would be welcome of course ;-)
> 
> -Fyodor
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> http://lists.sourceforge.net/mailman/listinfo/snort-users

-- 
Martin Roesch
roesch at ...421...
http://www.snort.org



More information about the Snort-users mailing list