[Snort-users] Re: Question about http_insepct

Daniel J. Roelker droelker at ...1935...
Mon Apr 5 06:51:55 EDT 2004


The proper HTTP delimiter is "\r\n".  IIS (and apache) both accept just
'\n' as a delimiter.  Almost all legitimate HTTP clients use the proper
HTTP delimiter, so this option allows you to get alerts on anomalous
types of requests, maybe from people using telnet as a client or just
from a hacker tool taking a short cut.

We'll look into changing the documentation as well to be more
enlightening.

Thanks for your post.

Dan

On Thu, 2004-04-01 at 11:20, Thomas Bechtold wrote:
> Hi,
> I don't understand one http_inspect parameter.  The parameters is:
> 
> iis_delimiter <yes|no>
> if i set this parameter to yes the doc say that alerts will be generated. but 
> why? whats a iss_delimiter? I don't understand the doc from http_inspect at 
> that point.
> 
> 
> Documentation about that parameter say:
> [snip]
> IMPORTANT:
> The 'yes/no' argument does not specify whether the configuration option
> itself is on or off, only the alerting functionality.
> [...]
>  * iis_delimiter [yes/no] *
> I originally started out with \n being IIS specific, but Apache takes this
> non-standard delimiter was well.  Since this is common, we always take this
> as standard since the most popular web servers accept it.  But you can still
> get an alert on this option.
> [snap]
> 
> 
> My Question is on which conditions i'll get an alert?
> 
> Cheers Thomas
> 
-- 
Daniel Roelker
Software Developer
Sourcefire, Inc.





More information about the Snort-users mailing list