Snort mailing list archives
Re: uricontent misbehaving?
From: Daniel Carroll <snort () defiant mesastate edu>
Date: Fri, 2 Nov 2001 13:22:41 -0700
Yuk. And my server was one of the ones that complained. What it complained about was the 'window.open(...)' line in that mail message. My opinion of McAfee's virus scanner just went down several notches. - Dan (Daniel Carroll)
From: Tim Kramer <kramert () mlrnoc navy mil> Subject: Re: [Snort-users] uricontent misbehaving? Date: 02 Nov 2001 22:32:13 -0500 Then again, just having the word the r-word with the e-extension caused various people's mail servers to spit the message back at me. I guess the rule of thumb should be to write the filter to be large enough to be minimally functional without causing false alerts. There's a least 12 mail servers out there using a commercial anti-virus program that spit my last message back at me (and they should know better). Next thing you know, we'll not be able to send e-mail because someone wrote a virus that contains the word "the". - Tim
From: Martin Roesch <roesch () sourcefire com> Subject: Re: [Snort-users] uricontent misbehaving? Date: Fri, 02 Nov 2001 15:14:19 -0500 It depends. The uricontent keyword is linked to having the http_decode preprocessor turned on (yes, I know it's not orthogonal). Basically, if http_decode isn't turned on Snort won't generate the URI data in the packet structure and the uricontent keyword will operate exactly as the content keyword does. You also need to have your $EXTERNAL_NET set to !$HOME_NET if you don't want to catch outbound traffic as well. [Original message snipped to halt the flood of email anti-virus systems false alarming on the name of the file in question that was part of that email. Wow, anti-virus software is lame...] -Marty
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- uricontent misbehaving? dan . ellis (Nov 02)
- Re: uricontent misbehaving? Tim Kramer (Nov 02)
- Re: uricontent misbehaving? Tim Kramer (Nov 02)
- Re: uricontent misbehaving? Chuck Morford (Nov 02)
- Re: uricontent misbehaving? Martin Roesch (Nov 02)
- Re: uricontent misbehaving? Brian (Nov 06)
- <Possible follow-ups>
- Re: uricontent misbehaving? Daniel Carroll (Nov 02)