Snort mailing list archives
Re: base64 for http_inspect
From: Joel Esler <jesler () sourcefire com>
Date: Fri, 30 Jul 2010 17:17:25 -0400
Paul, Most of everyone who can properly answer this question is at Blackhat/Defcon. I know there is more base64 decoding in snort-2.9.0. I don't want to speculate on why we you are seeing it in snort-2.8.6.1. J On Jul 30, 2010, at 3:41 PM, Paul Schmehl wrote:
Would someone please explain this statement in the README.http_inspect doc for snort 2.8.6.1? --Options Available Under Stateful Inspection-- * base64 [yes/no] * Enables base64 decoding of certain fields where stateful inspection determines that base64 encoding is present. I've tried the following: Adding base64 yes to the global config - fails Adding base64 yes to a server profile - fails Adding a separate line as follows: preprocessor http_inspect: stateful inspection base64 yes - fails How do you implement base64 decoding for http_inspect? -- Paul Schmehl, Senior Infosec Analyst As if it wasn't already obvious, my opinions are my own and not those of my employer. ******************************************* "It is as useless to argue with those who have renounced the use of reason as to administer medication to the dead." Thomas Jefferson ------------------------------------------------------------------------------ The Palm PDK Hot Apps Program offers developers who use the Plug-In Development Kit to bring their C/C++ apps to Palm for a share of $1 Million in cash or HP Products. Visit us here for more details: http://p.sf.net/sfu/dev2dev-palm _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
------------------------------------------------------------------------------ The Palm PDK Hot Apps Program offers developers who use the Plug-In Development Kit to bring their C/C++ apps to Palm for a share of $1 Million in cash or HP Products. Visit us here for more details: http://p.sf.net/sfu/dev2dev-palm _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- base64 for http_inspect Paul Schmehl (Jul 30)
- Re: base64 for http_inspect Joel Esler (Jul 30)
- Re: base64 for http_inspect Bhagya Bantwal (Aug 02)
- Re: base64 for http_inspect Paul Dokas (Aug 02)
- Re: base64 for http_inspect Bhagya Bantwal (Aug 02)
- Re: base64 for http_inspect Paul Dokas (Aug 02)