> -----Original Message-----
> From: Christian Swartzbaugh [mailto:feofil@xxxxxxxxx]
> Sent: Thursday, June 01, 2006 4:20 AM
> To: bugtraq@xxxxxxxxxxxxxxxxx
> Subject: Snort HTTP Inspect Pre-Processor Uricontent Bypass
>
> For those of you using snort on this list, this got posted to some of
> the snort mailing lists this morning.
>
>
>
>
>
> "The evasion technique allows an attack to bypass detection of
> "uricontent" rules by
> adding a carriage return to the end of a URL, directly before
> the HTTP protocol
> declaration.
> This affects thousands of rules in the standard Snort base rule sets.
>
>
> Due to the seriousness of this vulnerability, we have developed a
> working patch for
> public review. See below.
> This patch addresses the carriage return bug and should catch
> the known evasion
> attempts but further research needs to be done to determine if there
> are any other
>
> possible impacts of this bug. The detection for evasion is turned on
> by default under
> all profiles but can also be used as a server configuration option:
> -----HTTP Inspect Server Configuration-----
>
> non_std_cr <yes|no>
>
>
> This option generates an alert when a non standard carriage
> return character is
> detected in the URI.
> -----end-----
>
> More information including a pre-patched tarball, a simple proof of
> concept, and a
>
> copy of this patch ..."
>
> feofil
>
