[Snort-users] Re: Question about http_insepct
Daniel J. Roelker
droelker at ...1935...
Mon Apr 5 06:51:55 EDT 2004
The proper HTTP delimiter is "\r\n". IIS (and apache) both accept just
'\n' as a delimiter. Almost all legitimate HTTP clients use the proper
HTTP delimiter, so this option allows you to get alerts on anomalous
types of requests, maybe from people using telnet as a client or just
from a hacker tool taking a short cut.
We'll look into changing the documentation as well to be more
Thanks for your post.
On Thu, 2004-04-01 at 11:20, Thomas Bechtold wrote:
> I don't understand one http_inspect parameter. The parameters is:
> iis_delimiter <yes|no>
> if i set this parameter to yes the doc say that alerts will be generated. but
> why? whats a iss_delimiter? I don't understand the doc from http_inspect at
> that point.
> Documentation about that parameter say:
> The 'yes/no' argument does not specify whether the configuration option
> itself is on or off, only the alerting functionality.
> * iis_delimiter [yes/no] *
> I originally started out with \n being IIS specific, but Apache takes this
> non-standard delimiter was well. Since this is common, we always take this
> as standard since the most popular web servers accept it. But you can still
> get an alert on this option.
> My Question is on which conditions i'll get an alert?
> Cheers Thomas
More information about the Snort-users