RE: spaces causing problems in content filters in win32 port of snort (resend)

["Tom H" <tom () scriptsupport co uk>]

> when a content filter contains a space ' ' or a '.' character, 
> snort does not seem to be matching the text correctly. ie 
> alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"P O R 
> N free ZZZ"; content:"FREE ZZZ"; nocase; flow:to_client; 
> classtype:kickass-p o r n; sid:1310; rev:5;)
> never matches my test page with "FREE ZZZ" that I have created, 
> at the moment it will match single words like 'freezzz', but will 
> not match 'free zzz' or words seperated by dots 
> 'alt.binarires.whatever', commenting out the dots '\.' seems to 
> work for dots, but not for spaces. and this also has the pain of 
> breaking a lot of the rules supplies along with snort.

After some investigation it seems that snort detects these fine unless the web page
is returned chunked-encoded - like google for example; but for sites with no encoding
it detects the content string fine.

is there any more documentation on things like this that I missed?

Tom H




-------------------------------------------------------
This SF.Net email sponsored by: Parasoft
Error proof Web apps, automate testing & more.
Download & eval WebKing and get a free book.
www.parasoft.com/bulletproofapps1
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users