Re: Question about Content-Disposition, Content-Type, etc. and http_header buffer

[Mike Cox <mike.cox52 () gmail com>]

I think the packets are correct.  I guess the situation is, when you have
encoding such as multipart/form-data, some header fields like
Content-Disposition can end up in the body of the message.  Thus, snort
rules matching on such headers and using the http_header buffer, won't
match as intended.  Make sense?

I was wondering if it was possible for http_inspect to realize this
situation and populate the http_header buffer with the headers from the
body so that rules matching on things like Content-Disposition in
http_header will still alert properly with situations such as
multipart/form data encoding.

Thanks!

-Mike Cox

On Thu, Oct 25, 2012 at 4:35 PM, Joel Esler <jesler () sourcefire com> wrote:

> On Oct 25, 2012, at 4:35 PM, lists () packetmail net wrote:
>
> On 10/25/2012 03:07 PM, Joel Esler wrote:
>
> Am I still missing the point?  Am I insane?
>
>
> You're missing RFC 6266 which updates RFC 2616 ;)
>
>
> There isn't anything in that rfc that alerts the behavior of where the
> header ends.
>
> My point is, I think, if I'm right, is whatever program is generating the
> packets that Mike is talking about isn't doing so correctly.
>
> --
> *Joel Esler*
> Senior Research Engineer, VRT
> OpenSource Community Manager
> Sourcefire
------------------------------------------------------------------------------
Everyone hates slow websites. So do we.
Make your web apps faster with AppDynamics
Download AppDynamics Lite for free today:
http://p.sf.net/sfu/appdyn_sfd2d_oct

_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-sigs
http://www.snort.org


Please visit http://blog.snort.org for the latest news about Snort!