Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: content |00|

From: Ryan Russell <ryan () securityfocus com>
Date: Tue, 11 Dec 2001 10:20:54 -0700 (MST)
On Tue, 11 Dec 2001, RAMALINGA Reddy wrote:


Hello Gurus,
      I came across somany snort rules which contain "|00|" in the
content. Can any one explain what it means ? Is it a kind of NOOP?
thanks in advance,
Rali


That's how Snort does hexadecimal character in rules, between vertical
bars, "|".  So |00| is just a byte containing zero.  Yes, it's used in a
number of rules, such as those looking for unicode, which will look like
u|00|n|00|i|00|c|00|d|00|e|00|.  There are also rules which look for null
bytes being passsed to web apps.  Some cgi parsers will will recognize
|00| as a string terminator, but when it gets handed to a perl
interpreter, it will not, allowing for a hole in some cases.

                                        Ryan


_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: