Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: [Snort-Devel] bug in http preprocessor and non ascii characters 2.8.6.1

From: Bhagya Bantwal <bbantwal () sourcefire com>
Date: Wed, 16 Mar 2011 13:23:28 -0400
You can turn on extended_ascii_uri in http_inspect_server to handle non
printable letters.

-B
On Wed, Mar 16, 2011 at 1:02 PM, matan monitz <mmonitz () gmail com> wrote:


hello
i am encountering runaway uri buffers when inspecting packets with non
ascii characters in the uri
what basically happens is that for some reason if the uri contains non
printable letters (hebrew ansi from IE for instance) the uri buffer gets
filled with header data resulting in false positives
i haven't tested the buffers using the methods described in the recent blog
post but have tested it with custom rules and was able to recreate the bug
is this a known bug or some configuration option i'm missing?
 i can post the test pcaps and rules if needed



------------------------------------------------------------------------------
Colocation vs. Managed Hosting
A question and answer guide to determining the best fit
for your organization - today and in the future.
http://p.sf.net/sfu/internap-sfd2d
_______________________________________________
Snort-devel mailing list
Snort-devel () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-devel



------------------------------------------------------------------------------
Colocation vs. Managed Hosting
A question and answer guide to determining the best fit
for your organization - today and in the future.
http://p.sf.net/sfu/internap-sfd2d
_______________________________________________
Snort-devel mailing list
Snort-devel () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-devel
Previous By Date Next
Previous By Thread Next

Current thread: