Snort mailing list archives
Re: Question about http_insepct
From: "Daniel J. Roelker" <droelker () sourcefire com>
Date: 01 Apr 2004 11:33:33 -0500
The proper HTTP delimiter is "\r\n". IIS (and apache) both accept just '\n' as a delimiter. Almost all legitimate HTTP clients use the proper HTTP delimiter, so this option allows you to get alerts on anomalous types of requests, maybe from people using telnet as a client or just from a hacker tool taking a short cut. We'll look into changing the documentation as well to be more enlightening. Thanks for your post. Dan On Thu, 2004-04-01 at 11:20, Thomas Bechtold wrote:
Hi, I don't understand one http_inspect parameter. The parameters is: iis_delimiter <yes|no> if i set this parameter to yes the doc say that alerts will be generated. but why? whats a iss_delimiter? I don't understand the doc from http_inspect at that point. Documentation about that parameter say: [snip] IMPORTANT: The 'yes/no' argument does not specify whether the configuration option itself is on or off, only the alerting functionality. [...] * iis_delimiter [yes/no] * I originally started out with \n being IIS specific, but Apache takes this non-standard delimiter was well. Since this is common, we always take this as standard since the most popular web servers accept it. But you can still get an alert on this option. [snap] My Question is on which conditions i'll get an alert? Cheers Thomas
-- Daniel Roelker Software Developer Sourcefire, Inc. ------------------------------------------------------- This SF.Net email is sponsored by: IBM Linux Tutorials Free Linux tutorial presented by Daniel Robbins, President and CEO of GenToo technologies. Learn everything from fundamentals to system administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Question about http_insepct Thomas Bechtold (Apr 01)
- Re: Question about http_insepct Daniel J. Roelker (Apr 05)