Menu
▾
▴
RE: [Snort-inline-users] uricontent matching v2
|
From: Pieter C. <pie...@co...> - 2004-04-02 12:48:41
|
Ok, here is the test packet sent through pieter@pc-dt:/tmp$ telnet 192.168.3.20 80 Trying 192.168.3.20... Connected to 192.168.3.20. Escape character is '^]'. GET %2fnos%20%68ite HTTP/1.0 This session will then be closed because of the REJECT rule action. the relevant snort.conf bits are: .... preprocessor telnet_decode: preprocessor http_decode: 80 unicode iis_alt_unicode double_encode iis_flip_slash full_whitespace preprocessor conversation: allowed_ip_protocols all, timeout 60, max_conversations 32000 preprocessor rpc_decode: 111 32771 preprocessor bo: -nobrute output log_unified: filename snort.log, limit 128 ... reject tcp any any -> any any (msg:"test"; sid:2000000; rev:0; classtype:not-suspicious; uricontent: "noshite";) ... Pieter On Fri, 2004-04-02 at 11:59, Brian Jameson wrote: > Pieter wrote:- > > > Yes, the uricontent works and it decodes and drops packets that match > > in inline mode. > > > > Pieter > > > > On Fri, 2004-04-02 at 02:43, William Metcalf wrote: > >> Has anybody been able to confirm or deny that uricontent matching is > >> broken in 2.1.1? I would like to know so that if its the > >> configuration that I'm running with, I can start to look there. If > >> not, I don't mind trying to fumble my way through some c code to try > >> to get it to work, if some one could point me in the right > >> direction. I tried looking at the diff and the sp_pattern_match.c > >> file, is this the correct place to start? > >> > >> Regards, > >> > >> Will > > > > Interesting, could the fact that some people say it works and some say it > does not be down to configuration. Pieter any chance you could post(failing > that send me) part of your config file. This may explain why William Metcalf > and others are failing to match. It would certainly speed up my updating of > snort_inline. > > regards, > Brian > > > > ------------------------------------------------------- > This SF.Net email is sponsored by: IBM Linux Tutorials > Free Linux tutorial presented by Daniel Robbins, President and CEO of > GenToo technologies. Learn everything from fundamentals to system > administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click > _______________________________________________ > Snort-inline-users mailing list > Sno...@li... > https://lists.sourceforge.net/lists/listinfo/snort-inline-users -- Pieter Claassen <pie...@co...> |
