[Snort-users] Possible Evasion in http_inspect

Jennifer Steffens jennifer.steffens at ...1935...
Wed May 31 15:29:09 EDT 2006

Sourcefire is aware of a possible Snort evasion that exists in the
http_inspect preprocessor.  This evasion case only applies to protected
Apache web servers. We have prepared fixes for both the 2.4 and 2.6
branches and will have fully tested releases, including binaries,
available for both on Monday, June 5th.

Evasion Details:

The Apache web server supports special characters in HTTP requests that
do not affect the processing of the particular request.  The current
target-based profiles for Apache in the http_inspect preprocessor do not
properly handle these requests, resulting in the possibility that an
attacker can bypass detection of rules that use the "uricontent" keyword
by embedding special characters in a HTTP request.

Background Information:

It is important to note that this is an evasion and not a vulnerability.
This means that while it is possible for an attacker to bypass
detection, Snort sensors and the networks they protect are not at a
heightened risk of other attacks.


Sourcefire has prepared fixes and is currently finalizing a complete
round of testing to ensure that the fixes not only solve the issue at
hand but do not create new bugs as well. The following releases,
including binaries for Linux and Windows deployments, will be available
on Monday, June 5th:

* Snort v2.4.5
* Snort v2.6.0 final


Any questions regarding these releases can be sent to
snort-team at ...3990...


Jennifer S. Steffens
Director, Product Management - Snort
Sourcefire - Security for the Real World
W: 410.423.1930 | C: 202.409.7707
www.sourcefire.com | www.snort.org

More information about the Snort-users mailing list