[Snort-users] pattern recognition problems

Brian bmc at ...950...
Mon Sep 20 08:25:04 EDT 2004


On Wed, Sep 15, 2004 at 10:48:47AM -0700, Travis Kincher wrote:
> So, of course, it is looking for an HTTP string containing a negative 
> content-length, i.e. "Content-Length: -1024".
> 
> Here is an example of the data that apparently triggered this alert:
> --------
> HTTP/1.1 206 Partial Content..Server: Netscape-Enterprise/6.0..Date: 
> Tue, 17 Aug 2004 16:09:46 GMT..Content-type: image/jpeg..Etag: 
> "506d-70ab-411a9496"..Last-modified: Wed, 11 Aug 2004 21:50:14 
> GMT..Content-length: 13019..Content-range: bytes 15824-28842/28843....
> --------

I highly doubt that the PCRE match is failing.  If you compile snort
in debug mode and then use DEBUG_PATTERN_MATCH (16384), you will get
the pcre debugging messages and see for yourself how pcre is working
inside of snort.

-b




More information about the Snort-users mailing list