[Snort-users] http preprocessor oddity

Koji Shikata shikap at ...1694...
Sat Mar 31 11:34:16 EST 2001


Hi, Frank & all.
Sorry that answer became slow.

I understood why false-positive alert was made.

I wrote the reason & patch to snort-devel, not snort-users. :-(

On Fri, 30 Mar 2001 04:35:47 +0900
Koji Shikata <shikap at ...1694...> wrote: 
> I did a mistake at making first patch.
> I should not have checked 1 byte-unicode.
> 1byte-unicode(UTF-8) is same as ascii, you know.
> And, notation,for example %2f is used well.

So, you may use the patch that attached below.
If you use this, probably fault positive will decrease.

Regards,
Koji

-----------------cut---------------------
--- spp_http_decode.c.orig      Fri Mar 30 04:28:54 2001
+++ spp_http_decode.c   Fri Mar 30 04:29:09 2001
@@ -326,7 +326,6 @@
                     /* anything else that is valid hex */
                     else if (isxdigit((int)*(index+1)) && isxdigit((int)*(index+2)))
                     {
-                        unicode = temp;
                         index +=3;
                         url++;
                         psize -=2;

-----------------cut---------------------




More information about the Snort-users mailing list