Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Question about http_insepct

From: "Daniel J. Roelker" <droelker () sourcefire com>
Date: 01 Apr 2004 11:33:33 -0500
The proper HTTP delimiter is "\r\n".  IIS (and apache) both accept just
'\n' as a delimiter.  Almost all legitimate HTTP clients use the proper
HTTP delimiter, so this option allows you to get alerts on anomalous
types of requests, maybe from people using telnet as a client or just
from a hacker tool taking a short cut.

We'll look into changing the documentation as well to be more
enlightening.

Thanks for your post.

Dan

On Thu, 2004-04-01 at 11:20, Thomas Bechtold wrote:

Hi,
I don't understand one http_inspect parameter.  The parameters is:

iis_delimiter <yes|no>
if i set this parameter to yes the doc say that alerts will be generated. but 
why? whats a iss_delimiter? I don't understand the doc from http_inspect at 
that point.


Documentation about that parameter say:
[snip]
IMPORTANT:
The 'yes/no' argument does not specify whether the configuration option
itself is on or off, only the alerting functionality.
[...]
 * iis_delimiter [yes/no] *
I originally started out with \n being IIS specific, but Apache takes this
non-standard delimiter was well.  Since this is common, we always take this
as standard since the most popular web servers accept it.  But you can still
get an alert on this option.
[snap]


My Question is on which conditions i'll get an alert?

Cheers Thomas


-- 
Daniel Roelker
Software Developer
Sourcefire, Inc.



-------------------------------------------------------
This SF.Net email is sponsored by: IBM Linux Tutorials
Free Linux tutorial presented by Daniel Robbins, President and CEO of
GenToo technologies. Learn everything from fundamentals to system
administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: