Re: snort normalization trouble // not working as I expect

["Joel Esler (jesler)" <jesler () cisco com>]

On Dec 23, 2013, at 9:35 AM, Lil Evil <Lil_Evil () gmx de> wrote:

> I guess that would explain my observation and the behaviour of my IPS setup.
> So the traffic would be normalized by the pre-processor and is processed by the pre-processor rules before passing 
> the normalized traffic to the inspection rules? I assume instead of alert a drop would also be possible on the 
> pre-processor rules? Not that I want to drop http traffic with too many whitespaces in there, but to understand the 
> correct traffic flow.

Correct.

You can enable drop on the preprocessor rules.  But as you said, I wouldn’t want to do it wholesale.

--
Joel Esler
Intelligence Lead
Open Source Manager
Vulnerability Research Team
New Email: jesler () cisco com

Attachment: signature.asc
Description: Message signed with OpenPGP using GPGMail

------------------------------------------------------------------------------
Rapidly troubleshoot problems before they affect your business. Most IT 
organizations don't have a clear picture of how application performance 
affects their revenue. With AppDynamics, you get 100% visibility into your 
Java,.NET, & PHP application. Start your 15-day FREE TRIAL of AppDynamics Pro!
http://pubads.g.doubleclick.net/gampad/clk?id=84349831&iu=/4140/ostg.clktrk

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!