Re: spp_rpc_decode

[Chris Green <cmg () uab edu>]

Paul Schmehl <pauls () utdallas edu> writes:

> >
> OK.  I guess I don't fully comprehend the process of normalization.  I
> thought I understood it to me the reassembly of fragmented packets as
> well as the conversion of "special" characters to the "standard"
> expected input (removal of unicode, etc.)  Is my understanding
> incorrect?  Does it require both sides of the conversation to
> normalize the input to those ports?

rpc_decode normalizes the RPC over TCP message segmentation format.
It's really naive and just assumes that traffic on said port is rpc
traffic.

It doesn't require both sides of the conversation and it can't use it,
even if it has it.
-- 
Chris Green <cmg () dok org>
 "Not everyone holds these truths to be self-evident, so we've worked
                  up a proof of them as Appendix A." --  Paul Prescod



-------------------------------------------------------
This SF.net email is sponsored by: IBM Linux Tutorials.
Become an expert in LINUX or just sharpen your skills.  Sign up for IBM's
Free Linux Tutorials.  Learn everything from the bash shell to sys admin.
Click now! http://ads.osdn.com/?ad_id=1278&alloc_id=3371&op=click
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users