Snort mailing list archives
Snort "NORMALIZATION" question
From: Miso Patel <miso.patel () gmail com>
Date: Mon, 6 Feb 2012 12:54:12 -0600
I see talk and read in the manual about "NORMALIZATION" that is done by pre processors. So fields like http match (http_header, http_uri, http_cookie, http_client_body, etc.) are "NORMALIZED" (depending on what you set in your snort .conf and compile-configure times). My question is, what exactly does the "NORMALIZATION" does? I can get one of my engineers to look and the code and tell me but I thought that perhaps there would be a good explanation of this (like one of a "how-to" guides) although I can-not find it when searching. For an example, what if there is http_client_body that sees a POST '?petsolv=true&saltedPug=7&seed=many&jeryk=12Pepper', do the '=' and '&' characters get "NORMALIZED" out or changed in any way? This is the specifics examples of what we are asking about. What gets changed and how so it? I think many would like to read about it and can then know for sure without doing many lab tests or getting a programmer to read the Snort programming. Also (my engineers want me to ask), is when you use the specific 'http' fields (http_header, etc.), what is searched? Does the header "name" be included in the field? What about before and after new-lines? Are more than one space removed? Do you do double decode? (I'm not sure what this is but Vijay wanted me to ask :) Thank you to all. Miso, CISO ------------------------------------------------------------------------------ Try before you buy = See our experts in action! The most comprehensive online learning library for Microsoft developers is just $99.99! Visual Studio, SharePoint, SQL - plus HTML5, CSS3, MVC3, Metro Style Apps, more. Free future releases when you subscribe now! http://p.sf.net/sfu/learndevnow-dev2 _______________________________________________ Snort-sigs mailing list Snort-sigs () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-sigs http://www.snort.org Please visit http://blog.snort.org for the latest news about Snort!
Current thread:
- Snort "NORMALIZATION" question Miso Patel (Feb 06)
- Re: Snort "NORMALIZATION" question Joel Esler (Feb 06)