Snort mailing list archives

Re: [Snort-Devel] bug in http preprocessor and non ascii characters 2.8.6.1

From: Bhagya Bantwal <bbantwal () sourcefire com>
Date: Fri, 18 Mar 2011 10:56:13 -0400

I dont really see a side effect. If you have a set up which sees a lot of
HTTp traffic with extended ascii or unicode URI I would  suggest using this
option.

The URI buffer pointing to entire header when this option is not turned on
will be fixed soon.

-B
On Wed, Mar 16, 2011 at 5:43 PM, matan monitz <mmonitz () gmail com> wrote:

thank you, that helped
are there supposed to be any negative side effects to this option?


On Wed, Mar 16, 2011 at 7:23 PM, Bhagya Bantwal <bbantwal () sourcefire com>wrote:


You can turn on extended_ascii_uri in http_inspect_server to handle non
printable letters.

-B
On Wed, Mar 16, 2011 at 1:02 PM, matan monitz <mmonitz () gmail com> wrote:

hello
i am encountering runaway uri buffers when inspecting packets with non
ascii characters in the uri
what basically happens is that for some reason if the uri contains non
printable letters (hebrew ansi from IE for instance) the uri buffer gets
filled with header data resulting in false positives
i haven't tested the buffers using the methods described in the recent
blog post but have tested it with custom rules and was able to recreate the
bug
is this a known bug or some configuration option i'm missing?
 i can post the test pcaps and rules if needed



------------------------------------------------------------------------------
Colocation vs. Managed Hosting
A question and answer guide to determining the best fit
for your organization - today and in the future.
http://p.sf.net/sfu/internap-sfd2d
_______________________________________________
Snort-devel mailing list
Snort-devel () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-devel

------------------------------------------------------------------------------
Colocation vs. Managed Hosting
A question and answer guide to determining the best fit
for your organization - today and in the future.
http://p.sf.net/sfu/internap-sfd2d

_______________________________________________
Snort-devel mailing list
Snort-devel () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-devel

Current thread:

[Snort-Devel] bug in http preprocessor and non ascii characters 2.8.6.1 matan monitz (Mar 16)
- Re: [Snort-Devel] bug in http preprocessor and non ascii characters 2.8.6.1 Bhagya Bantwal (Mar 16)
  - Re: [Snort-Devel] bug in http preprocessor and non ascii characters 2.8.6.1 matan monitz (Mar 16)
    - Re: [Snort-Devel] bug in http preprocessor and non ascii characters 2.8.6.1 Bhagya Bantwal (Mar 18)
- Re: [Snort-Devel] bug in http preprocessor and non ascii characters 2.8.6.1 Joel Esler (Mar 16)
  - Re: [Snort-Devel] bug in http preprocessor and non ascii characters 2.8.6.1 Ryan Jordan (Mar 16)