Snort mailing list archives
Re: pattern recognition problems
From: Brian <bmc () snort org>
Date: Fri, 17 Sep 2004 10:43:42 -0400
On Wed, Sep 15, 2004 at 10:48:47AM -0700, Travis Kincher wrote:
So, of course, it is looking for an HTTP string containing a negative content-length, i.e. "Content-Length: -1024". Here is an example of the data that apparently triggered this alert: -------- HTTP/1.1 206 Partial Content..Server: Netscape-Enterprise/6.0..Date: Tue, 17 Aug 2004 16:09:46 GMT..Content-type: image/jpeg..Etag: "506d-70ab-411a9496"..Last-modified: Wed, 11 Aug 2004 21:50:14 GMT..Content-length: 13019..Content-range: bytes 15824-28842/28843.... --------
I highly doubt that the PCRE match is failing. If you compile snort in debug mode and then use DEBUG_PATTERN_MATCH (16384), you will get the pcre debugging messages and see for yourself how pcre is working inside of snort. -b ------------------------------------------------------- This SF.Net email is sponsored by: YOU BE THE JUDGE. Be one of 170 Project Admins to receive an Apple iPod Mini FREE for your judgement on who ports your project to Linux PPC the best. Sponsored by IBM. Deadline: Sept. 24. Go here: http://sf.net/ppc_contest.php _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- pattern recognition problems Travis Kincher (Sep 15)
- Re: pattern recognition problems Matt Kettler (Sep 15)
- Re: pattern recognition problems Brian (Sep 20)