Menu
▾
▴
RE: [Snort-inline-users] uricontent matching v2
|
From: Pieter C. <pie...@co...> - 2004-04-02 13:34:47
|
The version that I tested on was snort-inline_2.0.2 and snort-2.0.2 Pieter On Fri, 2004-04-02 at 14:15, William Metcalf wrote: > Which version of snort_inline are you using? I get an error message > when I try to add the http_decode preprocessor into a config for > snort_inline-2.1.1, It was my understanding that the http_decode > preprocessor was replaced by the http_inspect preprocessor. > > Regards, > > Will > Inactive hide details for Pieter Claassen > <pie...@co...>Pieter Claassen > <pie...@co...> > > > Pieter Claassen <pie...@co...> > Sent by: sno...@li... > > 04/02/2004 06:48 AM > > > > > To > > bja...@ci... > > cc > > snort-inline > <sno...@li...> > > Subject > > RE: > [Snort-inline-users] uricontent matching v2 > > > Ok, here is the test packet sent through > > > pieter@pc-dt:/tmp$ telnet 192.168.3.20 80 > Trying 192.168.3.20... > Connected to 192.168.3.20. > Escape character is '^]'. > GET %2fnos%20%68ite HTTP/1.0 > > > This session will then be closed because of the REJECT rule action. > the relevant snort.conf bits are: > > .... > preprocessor telnet_decode: > preprocessor http_decode: 80 unicode iis_alt_unicode double_encode > iis_flip_slash full_whitespace > preprocessor conversation: allowed_ip_protocols all, timeout 60, > max_conversations 32000 > preprocessor rpc_decode: 111 32771 > preprocessor bo: -nobrute > output log_unified: filename snort.log, limit 128 > ... > reject tcp any any -> any any (msg:"test"; sid:2000000; rev:0; > classtype:not-suspicious; uricontent: "noshite";) > ... > > Pieter > > > > On Fri, 2004-04-02 at 11:59, Brian Jameson wrote: > > Pieter wrote:- > > > > > Yes, the uricontent works and it decodes and drops packets that > match > > > in inline mode. > > > > > > Pieter > > > > > > On Fri, 2004-04-02 at 02:43, William Metcalf wrote: > > >> Has anybody been able to confirm or deny that uricontent matching > is > > >> broken in 2.1.1? I would like to know so that if its the > > >> configuration that I'm running with, I can start to look there. > If > > >> not, I don't mind trying to fumble my way through some c code to > try > > >> to get it to work, if some one could point me in the right > > >> direction. I tried looking at the diff and the sp_pattern_match.c > > >> file, is this the correct place to start? > > >> > > >> Regards, > > >> > > >> Will > > > > > > > Interesting, could the fact that some people say it works and some > say it > > does not be down to configuration. Pieter any chance you could > post(failing > > that send me) part of your config file. This may explain why William > Metcalf > > and others are failing to match. It would certainly speed up my > updating of > > snort_inline. > > > > regards, > > Brian > > > > > > > > ------------------------------------------------------- > > This SF.Net email is sponsored by: IBM Linux Tutorials > > Free Linux tutorial presented by Daniel Robbins, President and CEO > of > > GenToo technologies. Learn everything from fundamentals to system > > > administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click > > _______________________________________________ > > Snort-inline-users mailing list > > Sno...@li... > > https://lists.sourceforge.net/lists/listinfo/snort-inline-users > -- > Pieter Claassen <pie...@co...> > > > > ------------------------------------------------------- > This SF.Net email is sponsored by: IBM Linux Tutorials > Free Linux tutorial presented by Daniel Robbins, President and CEO of > GenToo technologies. Learn everything from fundamentals to system > administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click > _______________________________________________ > Snort-inline-users mailing list > Sno...@li... > https://lists.sourceforge.net/lists/listinfo/snort-inline-users -- Pieter Claassen <pie...@co...> |
