[Snort-users] snort normalization trouble // not working as I expect

Joel Esler (jesler) jesler at ...589...
Mon Dec 23 10:08:09 EST 2013

On Dec 23, 2013, at 9:35 AM, Lil Evil <Lil_Evil at ...348...> wrote:

> I guess that would explain my observation and the behaviour of my IPS setup.
> So the traffic would be normalized by the pre-processor and is processed by the pre-processor rules before passing the normalized traffic to the inspection rules? I assume instead of alert a drop would also be possible on the pre-processor rules? Not that I want to drop http traffic with too many whitespaces in there, but to understand the correct traffic flow.


You can enable drop on the preprocessor rules.  But as you said, I wouldn’t want to do it wholesale.

Joel Esler
Intelligence Lead
Open Source Manager
Vulnerability Research Team
New Email: jesler at ...589...
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20131223/4e1bfb4b/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 204 bytes
Desc: Message signed with OpenPGP using GPGMail
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20131223/4e1bfb4b/attachment.sig>

More information about the Snort-users mailing list