Menu
▾
▴
RE: [Snort-inline-users] uricontent matching v2
|
From: William M. <Wil...@kc...> - 2004-04-02 13:50:42
|
I think that they made this change in the snort 2.1.x series of snort. = I tried to enable the http_inspect preprocessor just to see if it would successfully decode and drop packets, and it appears to be broken. Can= somebody running snort_inline-2.1.1 try this? you should be able to te= st do something like the following replacing "somewebsite" with a test ser= ver or your web server. You should always get a "page cannot be displayed"= rather than a "page could not be found", i.e. these requests should nev= er make it to the webserver. The rule numbers in order are 1072 1078 1073= , all of them come out of the web-misc.rules http://somewebsite.com/blah.nsf/../ http://somewebsite.com/counter.exe http://somewebsite.com/scripts/samples/search/webhits.exe= |
