Snort mailing list archives
Re: Question about Content-Disposition, Content-Type, etc. and http_header buffer
From: Mike Cox <mike.cox52 () gmail com>
Date: Thu, 25 Oct 2012 16:50:04 -0500
I think the packets are correct. I guess the situation is, when you have encoding such as multipart/form-data, some header fields like Content-Disposition can end up in the body of the message. Thus, snort rules matching on such headers and using the http_header buffer, won't match as intended. Make sense? I was wondering if it was possible for http_inspect to realize this situation and populate the http_header buffer with the headers from the body so that rules matching on things like Content-Disposition in http_header will still alert properly with situations such as multipart/form data encoding. Thanks! -Mike Cox On Thu, Oct 25, 2012 at 4:35 PM, Joel Esler <jesler () sourcefire com> wrote:
On Oct 25, 2012, at 4:35 PM, lists () packetmail net wrote: On 10/25/2012 03:07 PM, Joel Esler wrote: Am I still missing the point? Am I insane? You're missing RFC 6266 which updates RFC 2616 ;) There isn't anything in that rfc that alerts the behavior of where the header ends. My point is, I think, if I'm right, is whatever program is generating the packets that Mike is talking about isn't doing so correctly. -- *Joel Esler* Senior Research Engineer, VRT OpenSource Community Manager Sourcefire
------------------------------------------------------------------------------ Everyone hates slow websites. So do we. Make your web apps faster with AppDynamics Download AppDynamics Lite for free today: http://p.sf.net/sfu/appdyn_sfd2d_oct
_______________________________________________ Snort-sigs mailing list Snort-sigs () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-sigs http://www.snort.org Please visit http://blog.snort.org for the latest news about Snort!
Current thread:
- Re: Question about Content-Disposition, Content-Type, etc. and http_header buffer, (continued)
- Re: Question about Content-Disposition, Content-Type, etc. and http_header buffer Joel Esler (Oct 16)
- Re: Question about Content-Disposition, Content-Type, etc. and http_header buffer Mike Cox (Oct 17)
- Re: Question about Content-Disposition, Content-Type, etc. and http_header buffer Joel Esler (Oct 17)
- Re: Question about Content-Disposition, Content-Type, etc. and http_header buffer Mike Cox (Oct 17)
- Re: Question about Content-Disposition, Content-Type, etc. and http_header buffer Joel Esler (Oct 17)
- Re: Question about Content-Disposition, Content-Type, etc. and http_header buffer Mike Cox (Oct 25)
- Re: Question about Content-Disposition, Content-Type, etc. and http_header buffer Joel Esler (Oct 25)
- Re: Question about Content-Disposition, Content-Type, etc. and http_header buffer lists () packetmail net (Oct 25)
- Re: Question about Content-Disposition, Content-Type, etc. and http_header buffer Joel Esler (Oct 25)
- Re: Question about Content-Disposition, Content-Type, etc. and http_header buffer lists () packetmail net (Oct 25)
- Re: Question about Content-Disposition, Content-Type, etc. and http_header buffer Mike Cox (Oct 25)
- Re: Question about Content-Disposition, Content-Type, etc. and http_header buffer Joel Esler (Oct 25)
- Re: Question about Content-Disposition, Content-Type, etc. and http_header buffer Mike Cox (Oct 25)
- Re: Question about Content-Disposition, Content-Type, etc. and http_header buffer Mike Cox (Oct 17)
- Re: Question about Content-Disposition, Content-Type, etc. and http_header buffer Joel Esler (Oct 16)