'[Snort-sigs] on rules and http preprocessor (a comment)'

List:       snort-sigs
Subject:    [Snort-sigs] on rules and http preprocessor (a comment)
From:       Fyodor <fygrave () tigerteam ! net>
Date:       2000-10-09 12:26:52
[Download RAW message or body]

By the way just was testing snort rules and noticed that snort doesn't
trigger alert if you have a rule saying `content: "%20%2e.blah"', and have
an http preprocessor enabled. instead you will have to use `content: |20 2e|.blah'
or something... but as you see it will also match a packet which contained ` ..blah'
data f.e. In most cases it would be the same but some rules are looking for
%2e%2e%2e packets explictly.. for this case we will have to thing of the way around, if possible..

Any thoughts would be welcome of course ;-)

-Fyodor

Configure | About | News | Add a list | Sponsored by KoreLogic