Snort "NORMALIZATION" question

[Miso Patel <miso.patel () gmail com>]

I see talk and read in the manual about "NORMALIZATION" that is done
by pre processors.  So fields like http match (http_header, http_uri,
http_cookie, http_client_body, etc.) are "NORMALIZED" (depending on
what you set in your snort .conf and compile-configure times).

My question is, what exactly does the "NORMALIZATION" does?  I can get
one of my engineers to look and the code and tell me but I thought
that perhaps there would be a good explanation of this (like one of a
"how-to" guides) although I can-not find it when searching.

For an example, what if there is http_client_body that sees a POST
'?petsolv=true&saltedPug=7&seed=many&jeryk=12Pepper', do the '=' and
'&' characters get "NORMALIZED" out or changed in any way?  This is
the specifics examples of what we are asking about.  What gets changed
and how so it?  I think many would like to read about it and can then
know for sure without doing many lab tests or getting a programmer to
read the Snort programming.

Also (my engineers want me to ask), is when you use the specific
'http' fields (http_header, etc.), what is searched?  Does the header
"name" be included in the field?  What about before and after
new-lines?  Are more than one space removed?  Do you do double decode?
(I'm not sure what this is but Vijay wanted me to ask :)

Thank you to all.

Miso, CISO

------------------------------------------------------------------------------
Try before you buy = See our experts in action!
The most comprehensive online learning library for Microsoft developers
is just $99.99! Visual Studio, SharePoint, SQL - plus HTML5, CSS3, MVC3,
Metro Style Apps, more. Free future releases when you subscribe now!
http://p.sf.net/sfu/learndevnow-dev2
_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-sigs
http://www.snort.org


Please visit http://blog.snort.org for the latest news about Snort!