Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: pattern recognition problems

From: Brian <bmc () snort org>
Date: Fri, 17 Sep 2004 10:43:42 -0400
On Wed, Sep 15, 2004 at 10:48:47AM -0700, Travis Kincher wrote:

So, of course, it is looking for an HTTP string containing a negative 
content-length, i.e. "Content-Length: -1024".

Here is an example of the data that apparently triggered this alert:
--------
HTTP/1.1 206 Partial Content..Server: Netscape-Enterprise/6.0..Date: 
Tue, 17 Aug 2004 16:09:46 GMT..Content-type: image/jpeg..Etag: 
"506d-70ab-411a9496"..Last-modified: Wed, 11 Aug 2004 21:50:14 
GMT..Content-length: 13019..Content-range: bytes 15824-28842/28843....
--------


I highly doubt that the PCRE match is failing.  If you compile snort
in debug mode and then use DEBUG_PATTERN_MATCH (16384), you will get
the pcre debugging messages and see for yourself how pcre is working
inside of snort.

-b


-------------------------------------------------------
This SF.Net email is sponsored by: YOU BE THE JUDGE. Be one of 170
Project Admins to receive an Apple iPod Mini FREE for your judgement on
who ports your project to Linux PPC the best. Sponsored by IBM.
Deadline: Sept. 24. Go here: http://sf.net/ppc_contest.php
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: