[Snort-users] (http\_inspect) NON-RFC DEFINED CHAR

Jeff Kell jeff-kell at ...6282...
Tue Dec 30 08:42:01 EST 2003


CMartin at ...9696... wrote:

> Well, I checked out what I could.  Non-RFP Defined CHAR is a warning that
> the new http_inspect gives you.  Quote from manual: "For instance, a user
> may not want to see NULL bytes in the request-URI" (also known as URL) "and
> we can give an alert on that."  In the http_inspect configuration you can
> define what characters to look for.  Also you can tell the http inspect
> processor to alert when this (and other http_inspect warnings) occur.
> 
> I suggest checking out the new documentation for snort 2.1.0.. VERY
> interesting and awesome new features added with snort2.1.0!

I'm getting loads of these, as well as double-decode warnings from 
people using hotmail.  I don't want to have to make config entries for 
all of the hotmail servers...  also NON-RFC Delimiter errors in P2P 
traffic.  I would prefer that it only look at URIs from $EXTERNAL_NET.

Jeff





More information about the Snort-users mailing list