Re: (http\_inspect) NON-RFC DEFINED CHAR

[Jeff Kell <jeff-kell () utc edu>]

CMartin () infosol com wrote:

> Well, I checked out what I could.  Non-RFP Defined CHAR is a warning that
> the new http_inspect gives you.  Quote from manual: "For instance, a user
> may not want to see NULL bytes in the request-URI" (also known as URL) "and
> we can give an alert on that."  In the http_inspect configuration you can
> define what characters to look for.  Also you can tell the http inspect
> processor to alert when this (and other http_inspect warnings) occur.
>
> I suggest checking out the new documentation for snort 2.1.0.. VERY
> interesting and awesome new features added with snort2.1.0!

I'm getting loads of these, as well as double-decode warnings from 
people using hotmail.  I don't want to have to make config entries for 
all of the hotmail servers...  also NON-RFC Delimiter errors in P2P 
traffic.  I would prefer that it only look at URIs from $EXTERNAL_NET.

Jeff



-------------------------------------------------------
This SF.net email is sponsored by: IBM Linux Tutorials.
Become an expert in LINUX or just sharpen your skills.  Sign up for IBM's
Free Linux Tutorials.  Learn everything from the bash shell to sys admin.
Click now! http://ads.osdn.com/?ad_id=1278&alloc_id=3371&op=click
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users