Snort mailing list archives
Re: More sid 1841
From: Matt Kettler <mkettler () evi-inc com>
Date: Sat, 22 Feb 2003 13:17:40 -0500
At 10:59 PM 2/22/2003 +0800, Michael Boman wrote:
On Fri, Feb 21, 2003 at 03:27:10PM -0500, Matt Kettler wrote: According to RFC 1034 and 1035 the hostname can be a maximum of 255 bytes, so just make sure the '\n' are within 255 bytes from the end of 'javascript://'.
Hmmm, that's true of the domain name itself, but that doesn't mean the domain name can't be encoded using escape sequences, unicode, etc, and take up much more than 255 bytes in the html.
Snort has preprocessors for normalizing URI requests made to a http server itself, but I don't know if they normalize the contents of pages sent back to clients. Somehow I doubt it.
------------------------------------------------------- This SF.net email is sponsored by: SlickEdit Inc. Develop an edge. The most comprehensive and flexible code editor you can use. Code faster. C/C++, C#, Java, HTML, XML, many more. FREE 30-Day Trial. www.slickedit.com/sourceforge _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- More sid 1841 Schmehl, Paul L (Feb 20)
- <Possible follow-ups>
- Re: More sid 1841 Kenneth G. Arnold (Feb 21)
- Re: More sid 1841 Matt Kettler (Feb 21)
- RE: More sid 1841 Schmehl, Paul L (Feb 21)
- RE: More sid 1841 Matt Kettler (Feb 21)
- RE: More sid 1841 --experimental? twig les (Feb 21)
- RE: More sid 1841 -experimental? Matt Kettler (Feb 21)
- Re: More sid 1841 Michael Boman (Feb 22)
- Re: More sid 1841 Matt Kettler (Feb 22)
- RE: More sid 1841 --experimental? twig les (Feb 21)
- RE: More sid 1841 Matt Kettler (Feb 21)
- RE: More sid 1841 Schmehl, Paul L (Feb 21)
- RE: More sid 1841 Schmehl, Paul L (Feb 22)