[Snort-users] spaces causing problems in content filters in win32 port of snort (resend)
tom at ...9643...
Mon Jul 14 17:49:30 EDT 2003
> when a content filter contains a space ' ' or a '.' character,
> snort does not seem to be matching the text correctly. ie
> alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"P O R
> N free ZZZ"; content:"FREE ZZZ"; nocase; flow:to_client;
> classtype:kickass-p o r n; sid:1310; rev:5;)
> never matches my test page with "FREE ZZZ" that I have created,
> at the moment it will match single words like 'freezzz', but will
> not match 'free zzz' or words seperated by dots
> 'alt.binarires.whatever', commenting out the dots '\.' seems to
> work for dots, but not for spaces. and this also has the pain of
> breaking a lot of the rules supplies along with snort.
After some investigation it seems that snort detects these fine unless the web page
is returned chunked-encoded - like google for example; but for sites with no encoding
it detects the content string fine.
is there any more documentation on things like this that I missed?
More information about the Snort-users