Snort mailing list archives

Re: uricontent misbehaving?

From: Daniel Carroll <snort () defiant mesastate edu>
Date: Fri, 2 Nov 2001 13:22:41 -0700

Yuk.  And my server was one of the ones that complained.  What it
complained about was the 'window.open(...)' line in that mail message.

My opinion of McAfee's virus scanner just went down several notches.

        - Dan (Daniel Carroll)

From: Tim Kramer <kramert () mlrnoc navy mil>
Subject: Re: [Snort-users] uricontent misbehaving?
Date: 02 Nov 2001 22:32:13 -0500

Then again, just having the word the r-word with the
e-extension caused various people's mail servers to
spit the message back at me.  I guess the rule of
thumb should be to write the filter to be large
enough to be minimally functional without causing
false alerts.  There's a least 12 mail servers out
there using a commercial anti-virus program that
spit my last message back at me (and they should
know better).  Next thing you know, we'll not be
able to send e-mail because someone wrote a virus
that contains the word "the".

- Tim

From: Martin Roesch <roesch () sourcefire com>
Subject: Re: [Snort-users] uricontent misbehaving?
Date: Fri, 02 Nov 2001 15:14:19 -0500

It depends.  The uricontent keyword is linked to having the http_decode
preprocessor turned on (yes, I know it's not orthogonal).  Basically, if
http_decode isn't turned on Snort won't generate the URI data in the
packet structure and the uricontent keyword will operate exactly as the
content keyword does.  You also need to have your $EXTERNAL_NET set to
!$HOME_NET if you don't want to catch outbound traffic as well.

[Original message snipped to halt the flood of email anti-virus systems
false alarming on the name of the file in question that was part of that
email.  Wow, anti-virus software is lame...]

     -Marty


_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Current thread:

uricontent misbehaving? dan . ellis (Nov 02)
- Re: uricontent misbehaving? Tim Kramer (Nov 02)
- Re: uricontent misbehaving? Tim Kramer (Nov 02)
  - Re: uricontent misbehaving? Chuck Morford (Nov 02)
- Re: uricontent misbehaving? Martin Roesch (Nov 02)
- Re: uricontent misbehaving? Brian (Nov 06)
- <Possible follow-ups>
- Re: uricontent misbehaving? Daniel Carroll (Nov 02)