[Snort-users] snort normalization trouble // not working as I expect

Joel Esler (jesler) jesler at ...589...
Mon Dec 23 10:08:09 EST 2013


On Dec 23, 2013, at 9:35 AM, Lil Evil <Lil_Evil at ...348...> wrote:

> I guess that would explain my observation and the behaviour of my IPS setup.
> So the traffic would be normalized by the pre-processor and is processed by the pre-processor rules before passing the normalized traffic to the inspection rules? I assume instead of alert a drop would also be possible on the pre-processor rules? Not that I want to drop http traffic with too many whitespaces in there, but to understand the correct traffic flow.

Correct.

You can enable drop on the preprocessor rules.  But as you said, I wouldn’t want to do it wholesale.

--
Joel Esler
Intelligence Lead
Open Source Manager
Vulnerability Research Team
New Email: jesler at ...589...
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20131223/4e1bfb4b/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 204 bytes
Desc: Message signed with OpenPGP using GPGMail
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20131223/4e1bfb4b/attachment.sig>


More information about the Snort-users mailing list