[Snort-users] uricontent misbehaving?

Daniel Carroll snort at ...3986...
Fri Nov 2 12:23:24 EST 2001


Yuk.  And my server was one of the ones that complained.  What it
complained about was the 'window.open(...)' line in that mail message.

My opinion of McAfee's virus scanner just went down several notches.

	- Dan (Daniel Carroll)

> From: Tim Kramer <kramert at ...3975...>
> Subject: Re: [Snort-users] uricontent misbehaving?
> Date: 02 Nov 2001 22:32:13 -0500
> 
> Then again, just having the word the r-word with the
> e-extension caused various people's mail servers to
> spit the message back at me.  I guess the rule of
> thumb should be to write the filter to be large
> enough to be minimally functional without causing
> false alerts.  There's a least 12 mail servers out
> there using a commercial anti-virus program that
> spit my last message back at me (and they should
> know better).  Next thing you know, we'll not be
> able to send e-mail because someone wrote a virus
> that contains the word "the".
> 
> - Tim

> From: Martin Roesch <roesch at ...1935...>
> Subject: Re: [Snort-users] uricontent misbehaving?
> Date: Fri, 02 Nov 2001 15:14:19 -0500
> 
> It depends.  The uricontent keyword is linked to having the http_decode
> preprocessor turned on (yes, I know it's not orthogonal).  Basically, if
> http_decode isn't turned on Snort won't generate the URI data in the
> packet structure and the uricontent keyword will operate exactly as the
> content keyword does.  You also need to have your $EXTERNAL_NET set to
> !$HOME_NET if you don't want to catch outbound traffic as well.
> 
> [Original message snipped to halt the flood of email anti-virus systems
> false alarming on the name of the file in question that was part of that
> email.  Wow, anti-virus software is lame...]
> 
>      -Marty




More information about the Snort-users mailing list