List: snort-sigs
Subject: [Snort-sigs] on rules and http preprocessor (a comment)
From: Fyodor <fygrave () tigerteam ! net>
Date: 2000-10-09 12:26:52
[Download RAW message or body]
By the way just was testing snort rules and noticed that snort doesn't
trigger alert if you have a rule saying `content: "%20%2e.blah"', and have
an http preprocessor enabled. instead you will have to use `content: |20 2e|.blah'
or something... but as you see it will also match a packet which contained ` ..blah'
data f.e. In most cases it would be the same but some rules are looking for
%2e%2e%2e packets explictly.. for this case we will have to thing of the way around, if possible..
Any thoughts would be welcome of course ;-)
-Fyodor
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic